summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--configure.ac6
-rw-r--r--doc/libnftables-json.adoc15
-rw-r--r--doc/nft.txt42
-rw-r--r--doc/payload-expression.txt63
-rw-r--r--doc/primary-expression.txt17
-rw-r--r--doc/statements.txt16
-rwxr-xr-xfiles/examples/secmark.nft10
-rw-r--r--include/Makefile.am1
-rw-r--r--include/expression.h11
-rw-r--r--include/json.h4
-rw-r--r--include/linux/netfilter/Makefile.am1
-rw-r--r--include/linux/netfilter/nf_tables.h2
-rw-r--r--include/linux/netfilter/nfnetlink.h3
-rw-r--r--include/linux/netfilter/nfnetlink_hook.h54
-rw-r--r--include/mnl.h3
-rw-r--r--include/netlink.h2
-rw-r--r--include/nftables.h11
-rw-r--r--include/nftables/libnftables.h3
-rw-r--r--include/parser.h3
-rw-r--r--include/proto.h1
-rw-r--r--include/rule.h8
-rw-r--r--include/sctp_chunk.h87
-rw-r--r--include/statement.h3
-rw-r--r--include/utils.h1
-rw-r--r--src/Makefile.am1
-rw-r--r--src/cache.c6
-rw-r--r--src/cmd.c77
-rw-r--r--src/datatype.c5
-rw-r--r--src/evaluate.c287
-rw-r--r--src/expression.c57
-rw-r--r--src/exthdr.c8
-rw-r--r--src/json.c54
-rw-r--r--src/libnftables.c103
-rw-r--r--src/libnftables.map7
-rw-r--r--src/main.c22
-rw-r--r--src/meta.c2
-rw-r--r--src/mnl.c338
-rw-r--r--src/netlink.c189
-rw-r--r--src/netlink_delinearize.c257
-rw-r--r--src/netlink_linearize.c50
-rw-r--r--src/parser_bison.y339
-rw-r--r--src/parser_json.c94
-rw-r--r--src/payload.c61
-rw-r--r--src/proto.c1
-rw-r--r--src/rule.c94
-rw-r--r--src/scanner.l63
-rw-r--r--src/sctp_chunk.c261
-rw-r--r--src/segtree.c28
-rw-r--r--src/statement.c44
-rw-r--r--src/utils.c10
-rw-r--r--tests/py/any/meta.t4
-rw-r--r--tests/py/any/meta.t.json40
-rw-r--r--tests/py/any/meta.t.payload38
-rw-r--r--tests/py/any/queue.t18
-rw-r--r--tests/py/any/queue.t.json90
-rw-r--r--tests/py/any/queue.t.payload25
-rw-r--r--tests/py/arp/arp.t6
-rw-r--r--tests/py/arp/arp.t.json120
-rw-r--r--tests/py/arp/arp.t.payload48
-rw-r--r--tests/py/arp/arp.t.payload.netdev60
-rw-r--r--tests/py/bridge/reject.t50
-rw-r--r--tests/py/bridge/reject.t.json36
-rw-r--r--tests/py/bridge/reject.t.payload36
-rw-r--r--tests/py/bridge/vlan.t23
-rw-r--r--tests/py/bridge/vlan.t.json54
-rw-r--r--tests/py/bridge/vlan.t.payload25
-rw-r--r--tests/py/bridge/vlan.t.payload.netdev25
-rw-r--r--tests/py/inet/ah.t8
-rw-r--r--tests/py/inet/ah.t.json160
-rw-r--r--tests/py/inet/ah.t.payload80
-rw-r--r--tests/py/inet/comp.t4
-rw-r--r--tests/py/inet/comp.t.json80
-rw-r--r--tests/py/inet/comp.t.payload40
-rw-r--r--tests/py/inet/ct.t2
-rw-r--r--tests/py/inet/ct.t.json8
-rw-r--r--tests/py/inet/ct.t.payload7
-rw-r--r--tests/py/inet/dccp.t5
-rw-r--r--tests/py/inet/dccp.t.json100
-rw-r--r--tests/py/inet/dccp.t.payload50
-rw-r--r--tests/py/inet/dnat.t1
-rw-r--r--tests/py/inet/dnat.t.json20
-rw-r--r--tests/py/inet/dnat.t.payload7
-rw-r--r--tests/py/inet/esp.t5
-rw-r--r--tests/py/inet/esp.t.json80
-rw-r--r--tests/py/inet/esp.t.payload40
-rw-r--r--tests/py/inet/ip.t2
-rw-r--r--tests/py/inet/reject.t51
-rw-r--r--tests/py/inet/reject.t.json48
-rw-r--r--tests/py/inet/reject.t.json.output4
-rw-r--r--tests/py/inet/reject.t.payload.inet42
-rw-r--r--tests/py/inet/sctp.t45
-rw-r--r--tests/py/inet/sctp.t.json598
-rw-r--r--tests/py/inet/sctp.t.payload233
-rw-r--r--tests/py/inet/tcp.t18
-rw-r--r--tests/py/inet/tcp.t.json307
-rw-r--r--tests/py/inet/tcp.t.payload142
-rw-r--r--tests/py/inet/udp.t8
-rw-r--r--tests/py/inet/udp.t.json166
-rw-r--r--tests/py/inet/udp.t.payload82
-rw-r--r--tests/py/inet/udplite.t8
-rw-r--r--tests/py/inet/udplite.t.json126
-rw-r--r--tests/py/inet/udplite.t.payload62
-rw-r--r--tests/py/ip/dnat.t7
-rw-r--r--tests/py/ip/dnat.t.payload.ip76
-rw-r--r--tests/py/ip/icmp.t15
-rw-r--r--tests/py/ip/icmp.t.json395
-rw-r--r--tests/py/ip/icmp.t.payload.ip183
-rw-r--r--tests/py/ip/igmp.t2
-rw-r--r--tests/py/ip/igmp.t.json50
-rw-r--r--tests/py/ip/igmp.t.payload20
-rw-r--r--tests/py/ip/ip.t15
-rw-r--r--tests/py/ip/ip.t.json329
-rw-r--r--tests/py/ip/ip.t.payload113
-rw-r--r--tests/py/ip/ip.t.payload.bridge142
-rw-r--r--tests/py/ip/ip.t.payload.inet142
-rw-r--r--tests/py/ip/ip.t.payload.netdev142
-rw-r--r--tests/py/ip/reject.t19
-rw-r--r--tests/py/ip/reject.t.json24
-rw-r--r--tests/py/ip/reject.t.payload18
-rw-r--r--tests/py/ip/sets.t.json84
-rw-r--r--tests/py/ip/snat.t5
-rw-r--r--tests/py/ip/snat.t.json2
-rw-r--r--tests/py/ip/snat.t.payload12
-rw-r--r--tests/py/ip6/dst.t5
-rw-r--r--tests/py/ip6/dst.t.json81
-rw-r--r--tests/py/ip6/dst.t.payload.inet41
-rw-r--r--tests/py/ip6/dst.t.payload.ip634
-rw-r--r--tests/py/ip6/frag.t6
-rw-r--r--tests/py/ip6/frag.t.payload.inet62
-rw-r--r--tests/py/ip6/frag.t.payload.ip650
-rw-r--r--tests/py/ip6/hbh.t4
-rw-r--r--tests/py/ip6/hbh.t.json80
-rw-r--r--tests/py/ip6/hbh.t.payload.inet40
-rw-r--r--tests/py/ip6/hbh.t.payload.ip632
-rw-r--r--tests/py/ip6/icmpv6.t15
-rw-r--r--tests/py/ip6/icmpv6.t.json243
-rw-r--r--tests/py/ip6/icmpv6.t.payload.ip6143
-rw-r--r--tests/py/ip6/ip6.t8
-rw-r--r--tests/py/ip6/ip6.t.json122
-rw-r--r--tests/py/ip6/ip6.t.payload.inet82
-rw-r--r--tests/py/ip6/ip6.t.payload.ip666
-rw-r--r--tests/py/ip6/mh.t8
-rw-r--r--tests/py/ip6/mh.t.json162
-rw-r--r--tests/py/ip6/mh.t.payload.inet81
-rw-r--r--tests/py/ip6/mh.t.payload.ip665
-rw-r--r--tests/py/ip6/reject.t17
-rw-r--r--tests/py/ip6/reject.t.json22
-rw-r--r--tests/py/ip6/reject.t.payload.ip616
-rw-r--r--tests/py/ip6/rt.t8
-rw-r--r--tests/py/ip6/rt.t.json160
-rw-r--r--tests/py/ip6/rt.t.payload.inet80
-rw-r--r--tests/py/ip6/rt.t.payload.ip664
-rw-r--r--tests/py/netdev/reject.t54
-rw-r--r--tests/py/netdev/reject.t.json108
-rw-r--r--tests/py/netdev/reject.t.payload42
-rwxr-xr-xtests/py/nft-test.py6
-rwxr-xr-xtests/shell/testcases/maps/0010concat_map_019
-rwxr-xr-xtests/shell/testcases/maps/0011vmap_025
-rw-r--r--tests/shell/testcases/maps/dumps/0010concat_map_0.nft11
-rw-r--r--tests/shell/testcases/maps/dumps/0011vmap_0.nft19
-rw-r--r--tests/shell/testcases/maps/dumps/nat_addr_port.nft24
-rwxr-xr-xtests/shell/testcases/nft-f/0026listing_014
-rwxr-xr-xtests/shell/testcases/nft-f/0027split_chains_017
-rwxr-xr-xtests/shell/testcases/nft-f/0028variable_cmdline_017
-rw-r--r--tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft9
-rw-r--r--tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft8
-rw-r--r--tests/shell/testcases/optimizations/dumps/single_anon_set.nft15
-rw-r--r--tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input35
-rwxr-xr-xtests/shell/testcases/optimizations/single_anon_set13
-rwxr-xr-xtests/shell/testcases/sets/0031set_timeout_size_04
-rwxr-xr-xtests/shell/testcases/sets/0047nat_02
-rwxr-xr-xtests/shell/testcases/sets/0062set_connlimit_012
-rwxr-xr-xtests/shell/testcases/sets/0065_icmp_postprocessing13
-rwxr-xr-xtests/shell/testcases/sets/0067nat_concat_interval_033
-rw-r--r--tests/shell/testcases/sets/dumps/0047nat_0.nft2
-rw-r--r--tests/shell/testcases/sets/dumps/0053echo_0.nft2
-rw-r--r--tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft19
177 files changed, 4372 insertions, 5905 deletions
diff --git a/configure.ac b/configure.ac
index 5f30760f..dc6f4648 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
-AC_INIT([nftables], [0.9.8], [netfilter-devel@vger.kernel.org])
-AC_DEFINE([RELEASE_NAME], ["E.D.S."], [Release name])
+AC_INIT([nftables], [0.9.9], [netfilter-devel@vger.kernel.org])
+AC_DEFINE([RELEASE_NAME], ["Prudence Pimpleton"], [Release name])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIR([m4])
@@ -57,7 +57,7 @@ AS_IF([test "x$enable_man_doc" = "xyes"], [
])
PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.4])
-PKG_CHECK_MODULES([LIBNFTNL], [libnftnl >= 1.1.9])
+PKG_CHECK_MODULES([LIBNFTNL], [libnftnl >= 1.2.0])
AC_ARG_WITH([mini-gmp], [AS_HELP_STRING([--with-mini-gmp],
[Use builtin mini-gmp (for embedded builds)])],
diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc
index 858abbf7..c152dc05 100644
--- a/doc/libnftables-json.adoc
+++ b/doc/libnftables-json.adoc
@@ -904,7 +904,7 @@ Reject the packet and send the given error reply.
*type*::
Type of reject, either *"tcp reset"*, *"icmpx"*, *"icmp"* or *"icmpv6"*.
*expr*::
- ICMP type to reject with.
+ ICMP code to reject with.
All properties are optional.
@@ -1200,6 +1200,19 @@ Create a reference to a field (*field*) of a TCP option header (*name*).
If the *field* property is not given, the expression is to be used as a TCP option
existence check in a *match* statement with a boolean on the right hand side.
+=== SCTP CHUNK
+[verse]
+*{ "sctp chunk": {
+ "name":* 'STRING'*,
+ "field":* 'STRING'
+*}}*
+
+Create a reference to a field (*field*) of an SCTP chunk (*name*).
+
+If the *field* property is not given, the expression is to be used as an SCTP
+chunk existence check in a *match* statement with a boolean on the right hand
+side.
+
=== META
[verse]
____
diff --git a/doc/nft.txt b/doc/nft.txt
index 55747036..13fe8b1f 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -44,6 +44,10 @@ understanding of their meaning. You can get information about options by running
*--file 'filename'*::
Read input from 'filename'. If 'filename' is -, read from stdin.
+*-D*::
+*--define 'name=value'*::
+ Define a variable. You can only combine this option with '-f'.
+
*-i*::
*--interactive*::
Read input from an interactive readline CLI. You can use quit to exit, or use the EOF marker,
@@ -683,6 +687,16 @@ and subtraction can be used to set relative priority, e.g. filter + 5 equals to
*delete*:: Delete the specified flowtable.
*list*:: List all flowtables.
+LISTING
+-------
+[verse]
+*list { secmarks | synproxys | flow tables | meters | hooks }* ['family']
+*list { secmarks | synproxys | flow tables | meters | hooks } table* ['family'] 'table'
+*list ct { timeout | expectation | helper | helpers } table* ['family'] 'table'
+
+Inspect configured objects.
+*list hooks* shows the full hook pipeline, including those registered by
+kernel modules, such as nf_conntrack.
STATEFUL OBJECTS
----------------
@@ -691,8 +705,9 @@ STATEFUL OBJECTS
*delete* 'type' ['family'] 'table' *handle* 'handle'
*list counters* ['family']
*list quotas* ['family']
+*list limits* ['family']
-Stateful objects are attached to tables and are identified by an unique name.
+Stateful objects are attached to tables and are identified by a unique name.
They group stateful information from rules, to reference them in rules the
keywords "type name" are used e.g. "counter name".
@@ -805,13 +820,26 @@ These are some additional commands included in nft.
MONITOR
~~~~~~~~
The monitor command allows you to listen to Netlink events produced by the
-nf_tables subsystem, related to creation and deletion of objects. When they
+nf_tables subsystem. These are either related to creation and deletion of
+objects or to packets for which *meta nftrace* was enabled. When they
occur, nft will print to stdout the monitored events in either JSON or
native nft format. +
-To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements', 'ruleset'. +
+[verse]
+____
+*monitor* [*new* | *destroy*] 'MONITOR_OBJECT'
+*monitor* *trace*
-To filter events related to a concrete action, use keyword 'new' or 'destroy'.
+'MONITOR_OBJECT' := *tables* | *chains* | *sets* | *rules* | *elements* | *ruleset*
+____
+
+To filter events related to a concrete object, use one of the keywords in
+'MONITOR_OBJECT'.
+
+To filter events related to a concrete action, use keyword *new* or *destroy*.
+
+The second form of invocation takes no further options and exclusively prints
+events generated for packets with *nftrace* enabled.
Hit ^C to finish the monitor operation.
@@ -835,6 +863,12 @@ Hit ^C to finish the monitor operation.
% nft monitor ruleset
---------------------
+.Trace incoming packets from host 10.0.0.1
+------------------------------------------
+% nft add rule filter input ip saddr 10.0.0.1 meta nftrace set 1
+% nft monitor trace
+------------------------------------------
+
ERROR REPORTING
---------------
When an error is detected, nft shows the line(s) containing the error, the
diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index a593e2e7..930a1807 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -21,7 +21,7 @@ ether_type
VLAN HEADER EXPRESSION
~~~~~~~~~~~~~~~~~~~~~~
[verse]
-*vlan* {*id* | *cfi* | *pcp* | *type*}
+*vlan* {*id* | *dei* | *pcp* | *type*}
.VLAN header expression
[options="header"]
@@ -30,8 +30,8 @@ VLAN HEADER EXPRESSION
|id|
VLAN ID (VID) |
integer (12 bit)
-|cfi|
-Canonical Format Indicator|
+|dei|
+Drop Eligible Indicator|
integer (1 bit)
|pcp|
Priority code point|
@@ -369,7 +369,33 @@ integer (16 bit)
SCTP HEADER EXPRESSION
~~~~~~~~~~~~~~~~~~~~~~~
[verse]
+____
*sctp* {*sport* | *dport* | *vtag* | *checksum*}
+*sctp chunk* 'CHUNK' [ 'FIELD' ]
+
+'CHUNK' := *data* | *init* | *init-ack* | *sack* | *heartbeat* |
+ *heartbeat-ack* | *abort* | *shutdown* | *shutdown-ack* | *error* |
+ *cookie-echo* | *cookie-ack* | *ecne* | *cwr* | *shutdown-complete*
+ | *asconf-ack* | *forward-tsn* | *asconf*
+
+'FIELD' := 'COMMON_FIELD' | 'DATA_FIELD' | 'INIT_FIELD' | 'INIT_ACK_FIELD' |
+ 'SACK_FIELD' | 'SHUTDOWN_FIELD' | 'ECNE_FIELD' | 'CWR_FIELD' |
+ 'ASCONF_ACK_FIELD' | 'FORWARD_TSN_FIELD' | 'ASCONF_FIELD'
+
+'COMMON_FIELD' := *type* | *flags* | *length*
+'DATA_FIELD' := *tsn* | *stream* | *ssn* | *ppid*
+'INIT_FIELD' := *init-tag* | *a-rwnd* | *num-outbound-streams* |
+ *num-inbound-streams* | *initial-tsn*
+'INIT_ACK_FIELD' := 'INIT_FIELD'
+'SACK_FIELD' := *cum-tsn-ack* | *a-rwnd* | *num-gap-ack-blocks* |
+ *num-dup-tsns*
+'SHUTDOWN_FIELD' := *cum-tsn-ack*
+'ECNE_FIELD' := *lowest-tsn*
+'CWR_FIELD' := *lowest-tsn*
+'ASCONF_ACK_FIELD' := *seqno*
+'FORWARD_TSN_FIELD' := *new-cum-tsn*
+'ASCONF_FIELD' := *seqno*
+____
.SCTP header expression
[options="header"]
@@ -387,8 +413,35 @@ integer (32 bit)
|checksum|
Checksum|
integer (32 bit)
+|chunk|
+Search chunk in packet|
+without 'FIELD', boolean indicating existence
|================
+.SCTP chunk fields
+[options="header"]
+|==================
+|Name| Width in bits | Chunk | Notes
+|type| 8 | all | not useful, defined by chunk type
+|flags| 8 | all | semantics defined on per-chunk basis
+|length| 16 | all | length of this chunk in bytes excluding padding
+|tsn| 32 | data | transmission sequence number
+|stream| 16 | data | stream identifier
+|ssn| 16 | data | stream sequence number
+|ppid| 32 | data | payload protocol identifier
+|init-tag| 32 | init, init-ack | initiate tag
+|a-rwnd| 32 | init, init-ack, sack | advertised receiver window credit
+|num-outbound-streams| 16 | init, init-ack | number of outbound streams
+|num-inbound-streams| 16 | init, init-ack | number of inbound streams
+|initial-tsn| 32 | init, init-ack | initial transmit sequence number
+|cum-tsn-ack| 32 | sack, shutdown | cumulative transmission sequence number acknowledged
+|num-gap-ack-blocks| 16 | sack | number of Gap Ack Blocks included
+|num-dup-tsns| 16 | sack | number of duplicate transmission sequence numbers received
+|lowest-tsn| 32 | ecne, cwr | lowest transmission sequence number
+|seqno| 32 | asconf-ack, asconf | sequence number
+|new-cum-tsn| 32 | forward-tsn | new cumulative transmission sequence number
+|==================
+
DCCP HEADER EXPRESSION
~~~~~~~~~~~~~~~~~~~~~~
[verse]
@@ -646,8 +699,8 @@ is true for the *zone*, if a direction is given, the zone is only matched if the
zone id is tied to the given direction. +
[verse]
-*ct* {*state* | *direction* | *status* | *mark* | *expiration* | *helper* | *label*}
-*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone* | *id*}
+*ct* {*state* | *direction* | *status* | *mark* | *expiration* | *helper* | *label* | *count* | *id*}
+*ct* [*original* | *reply*] {*l3proto* | *protocol* | *bytes* | *packets* | *avgpkt* | *zone*}
*ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
*ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index c24e2636..f97778b9 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -196,10 +196,14 @@ SOCKET EXPRESSION
~~~~~~~~~~~~~~~~~
[verse]
*socket* {*transparent* | *mark* | *wildcard*}
+*socket* *cgroupv2* *level* 'NUM'
Socket expression can be used to search for an existing open TCP/UDP socket and
its attributes that can be associated with a packet. It looks for an established
-or non-zero bound listening socket (possibly with a non-local address).
+or non-zero bound listening socket (possibly with a non-local address). You can
+also use it to match on the socket cgroupv2 at a given ancestor level, e.g. if
+the socket belongs to cgroupv2 'a/b', ancestor level 1 checks for a matching on
+cgroup 'a' and ancestor level 2 checks for a matching on cgroup 'b'.
.Available socket attributes
[options="header"]
@@ -212,6 +216,9 @@ boolean (1 bit)
|wildcard|
Indicates whether the socket is wildcard-bound (e.g. 0.0.0.0 or ::0). |
boolean (1 bit)
+|cgroupv2|
+cgroup version 2 for this socket (path from /sys/fs/cgroup)|
+cgroupv2
|==================
.Using socket expression
@@ -241,6 +248,14 @@ table inet x {
tcp dport 8080 mark set socket mark
}
}
+
+# Count packets for cgroupv2 "user.slice" at level 1
+table inet x {
+ chain y {
+ type filter hook input priority filter; policy accept;
+ socket cgroupv2 level 1 "user.slice" counter
+ }
+}
----------------------
OSF EXPRESSION
diff --git a/doc/statements.txt b/doc/statements.txt
index 7c7240c8..af98e42c 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -163,9 +163,9 @@ REJECT STATEMENT
____
*reject* [ *with* 'REJECT_WITH' ]
-'REJECT_WITH' := *icmp type* 'icmp_code' |
- *icmpv6 type* 'icmpv6_code' |
- *icmpx type* 'icmpx_code' |
+'REJECT_WITH' := *icmp* 'icmp_code' |
+ *icmpv6* 'icmpv6_code' |
+ *icmpx* 'icmpx_code' |
*tcp reset*
____
@@ -589,13 +589,19 @@ for details.
[verse]
____
-*queue* [*num* 'queue_number'] [*bypass*]
-*queue* [*num* 'queue_number_from' - 'queue_number_to'] ['QUEUE_FLAGS']
+*queue* [*flags* 'QUEUE_FLAGS'] [*num* 'queue_number']
+*queue* [*flags* 'QUEUE_FLAGS'] [*num* 'queue_number_from' - 'queue_number_to']
+*queue* [*flags* 'QUEUE_FLAGS'] [*to* 'QUEUE_EXPRESSION' ]
'QUEUE_FLAGS' := 'QUEUE_FLAG' [*,* 'QUEUE_FLAGS']
'QUEUE_FLAG' := *bypass* | *fanout*
+'QUEUE_EXPRESSION' := *numgen* | *hash* | *symhash* | *MAP STATEMENT*
____
+QUEUE_EXPRESSION can be used to compute a queue number
+at run-time with the hash or numgen expressions. It also
+allows to use the map statement to assign fixed queue numbers
+based on external inputs such as the source ip address or interface names.
.queue statement values
[options="header"]
diff --git a/files/examples/secmark.nft b/files/examples/secmark.nft
index 16f9a368..c923cebb 100755
--- a/files/examples/secmark.nft
+++ b/files/examples/secmark.nft
@@ -10,7 +10,7 @@
flush ruleset
-table inet filter {
+table inet x {
secmark ssh_server {
"system_u:object_r:ssh_server_packet_t:s0"
}
@@ -57,8 +57,8 @@ table inet filter {
elements = { 22 : "ssh_client", 53 : "dns_client", 80 : "http_client", 123 : "ntp_client", 443 : "http_client", 9418 : "git_client" }
}
- chain input {
- type filter hook input priority 0;
+ chain y {
+ type filter hook input priority -225;
# label new incoming packets and add to connection
ct state new meta secmark set tcp dport map @secmapping_in
@@ -71,8 +71,8 @@ table inet filter {
ct state established,related meta secmark set ct secmark
}
- chain output {
- type filter hook output priority 0;
+ chain z {
+ type filter hook output priority 225;
# label new outgoing packets and add to connection
ct state new meta secmark set tcp dport map @secmapping_out
diff --git a/include/Makefile.am b/include/Makefile.am
index b1339814..b997f46b 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -32,6 +32,7 @@ noinst_HEADERS = cli.h \
owner.h \
parser.h \
proto.h \
+ sctp_chunk.h \
socket.h \
rule.h \
rt.h \
diff --git a/include/expression.h b/include/expression.h
index be703d75..742fcdd7 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -72,6 +72,7 @@ enum expr_types {
EXPR_FIB,
EXPR_XFRM,
EXPR_SET_ELEM_CATCHALL,
+ EXPR_FLAGCMP,
};
#define EXPR_MAX EXPR_XFRM
@@ -370,6 +371,12 @@ struct expr {
uint8_t ttl;
uint32_t flags;
} osf;
+ struct {
+ /* EXPR_FLAGCMP */
+ struct expr *expr;
+ struct expr *mask;
+ struct expr *value;
+ } flagcmp;
};
};
@@ -500,6 +507,10 @@ extern struct expr *set_elem_expr_alloc(const struct location *loc,
struct expr *set_elem_catchall_expr_alloc(const struct location *loc);
+struct expr *flagcmp_expr_alloc(const struct location *loc, enum ops op,
+ struct expr *expr, struct expr *mask,
+ struct expr *value);
+
extern void range_expr_value_low(mpz_t rop, const struct expr *expr);
extern void range_expr_value_high(mpz_t rop, const struct expr *expr);
diff --git a/include/json.h b/include/json.h
index 41142208..3db9f278 100644
--- a/include/json.h
+++ b/include/json.h
@@ -28,6 +28,7 @@ struct list_head;
json_t *binop_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *relational_expr_json(const struct expr *expr, struct output_ctx *octx);
+json_t *flagcmp_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *range_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *meta_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *payload_expr_json(const struct expr *expr, struct output_ctx *octx);
@@ -36,6 +37,7 @@ json_t *concat_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *set_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *set_ref_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx);
+json_t *set_elem_catchall_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *prefix_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *list_expr_json(const struct expr *expr, struct output_ctx *octx);
json_t *unary_expr_json(const struct expr *expr, struct output_ctx *octx);
@@ -127,6 +129,7 @@ static inline json_t *name##_json(arg1_t arg1, arg2_t arg2) { return NULL; }
JSON_PRINT_STUB(name##_stmt, const struct stmt *, struct output_ctx *)
EXPR_PRINT_STUB(binop_expr)
+EXPR_PRINT_STUB(flagcmp_expr)
EXPR_PRINT_STUB(relational_expr)
EXPR_PRINT_STUB(range_expr)
EXPR_PRINT_STUB(meta_expr)
@@ -144,6 +147,7 @@ EXPR_PRINT_STUB(map_expr)
EXPR_PRINT_STUB(exthdr_expr)
EXPR_PRINT_STUB(verdict_expr)
EXPR_PRINT_STUB(rt_expr)
+EXPR_PRINT_STUB(set_elem_catchall_expr)
EXPR_PRINT_STUB(numgen_expr)
EXPR_PRINT_STUB(hash_expr)
EXPR_PRINT_STUB(fib_expr)
diff --git a/include/linux/netfilter/Makefile.am b/include/linux/netfilter/Makefile.am
index 04c9ab80..22f66a7e 100644
--- a/include/linux/netfilter/Makefile.am
+++ b/include/linux/netfilter/Makefile.am
@@ -6,4 +6,5 @@ noinst_HEADERS = nf_conntrack_common.h \
nf_tables_compat.h \
nf_synproxy.h \
nfnetlink_osf.h \
+ nfnetlink_hook.h \
nfnetlink.h
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 894a62cf..75df968d 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -808,11 +808,13 @@ enum nft_exthdr_flags {
* @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers
* @NFT_EXTHDR_OP_TCP: match against tcp options
* @NFT_EXTHDR_OP_IPV4: match against ipv4 options
+ * @NFT_EXTHDR_OP_SCTP: match against sctp chunks
*/
enum nft_exthdr_op {
NFT_EXTHDR_OP_IPV6,
NFT_EXTHDR_OP_TCPOPT,
NFT_EXTHDR_OP_IPV4,
+ NFT_EXTHDR_OP_SCTP,
__NFT_EXTHDR_OP_MAX
};
#define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1)
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 454f78d0..49e2b2c5 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -59,7 +59,8 @@ struct nfgenmsg {
#define NFNL_SUBSYS_CTHELPER 9
#define NFNL_SUBSYS_NFTABLES 10
#define NFNL_SUBSYS_NFT_COMPAT 11
-#define NFNL_SUBSYS_COUNT 12
+#define NFNL_SUBSYS_HOOK 12
+#define NFNL_SUBSYS_COUNT 13
/* Reserved control nfnetlink messages */
#define NFNL_MSG_BATCH_BEGIN NLMSG_MIN_TYPE
diff --git a/include/linux/netfilter/nfnetlink_hook.h b/include/linux/netfilter/nfnetlink_hook.h
new file mode 100644
index 00000000..d8ac8278
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_hook.h
@@ -0,0 +1,54 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef _NFNL_HOOK_H_
+#define _NFNL_HOOK_H_
+
+enum nfnl_hook_msg_types {
+ NFNL_MSG_HOOK_GET,
+ NFNL_MSG_HOOK_MAX,
+};
+
+/**
+ * enum nfnl_hook_attributes - nf_tables netfilter hook netlink attributes
+ *
+ * @NFNLA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
+ * @NFNLAA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
+ * @NFNLA_HOOK_DEV: netdevice name (NLA_STRING)
+ * @NFNLA_HOOK_FUNCTION_NAME: hook function name (NLA_STRING)
+ * @NFNLA_HOOK_MODULE_NAME: kernel module that registered this hook (NLA_STRING)
+ * @NFNLA_HOOK_CHAIN_INFO: basechain hook metadata (NLA_NESTED)
+ */
+enum nfnl_hook_attributes {
+ NFNLA_HOOK_UNSPEC,
+ NFNLA_HOOK_HOOKNUM,
+ NFNLA_HOOK_PRIORITY,
+ NFNLA_HOOK_DEV,
+ NFNLA_HOOK_FUNCTION_NAME,
+ NFNLA_HOOK_MODULE_NAME,
+ NFNLA_HOOK_CHAIN_INFO,
+ __NFNLA_HOOK_MAX
+};
+#define NFNLA_HOOK_MAX (__NFNLA_HOOK_MAX - 1)
+
+/**
+ * enum nfnl_hook_chain_info_attributes - chain description
+ *
+ * NFNLA_HOOK_INFO_DESC: nft chain and table name (enum nft_table_attributes) (NLA_NESTED)
+ * NFNLA_HOOK_INFO_TYPE: chain type (enum nfnl_hook_chaintype) (NLA_U32)
+ */
+enum nfnl_hook_chain_info_attributes {
+ NFNLA_HOOK_INFO_UNSPEC,
+ NFNLA_HOOK_INFO_DESC,
+ NFNLA_HOOK_INFO_TYPE,
+ __NFNLA_HOOK_INFO_MAX,
+};
+#define NFNLA_HOOK_INFO_MAX (__NFNLA_HOOK_INFO_MAX - 1)
+
+/**
+ * enum nfnl_hook_chaintype - chain type
+ *
+ * @NFNL_HOOK_TYPE_NFTABLES nf_tables base chain
+ */
+enum nfnl_hook_chaintype {
+ NFNL_HOOK_TYPE_NFTABLES = 0x1,
+};
+#endif /* _NFNL_HOOK_H */
diff --git a/include/mnl.h b/include/mnl.h
index 979929c3..68ec80cd 100644
--- a/include/mnl.h
+++ b/include/mnl.h
@@ -82,6 +82,9 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
unsigned int flags);
int mnl_nft_flowtable_del(struct netlink_ctx *ctx, struct cmd *cmd);
+int mnl_nft_dump_nf_hooks(struct netlink_ctx *ctx, int family, int hook,
+ const char *devname);
+
int mnl_nft_event_listener(struct mnl_socket *nf_sock, unsigned int debug_mask,
struct output_ctx *octx,
int (*cb)(const struct nlmsghdr *nlh, void *data),
diff --git a/include/netlink.h b/include/netlink.h
index a7c524ca..0c8655ca 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -181,7 +181,7 @@ extern void netlink_dump_flowtable(struct nftnl_flowtable *flo, struct netlink_c
__netlink_abi_error(__FILE__, __LINE__, strerror(errno));
extern void __noreturn __netlink_abi_error(const char *file, int line, const char *reason);
extern int netlink_io_error(struct netlink_ctx *ctx,
- const struct location *loc, const char *fmt, ...);
+ const struct location *loc, const char *fmt, ...) __attribute__((format(printf, 3, 4)));
#define netlink_init_error() \
__netlink_init_error(__FILE__, __LINE__, strerror(errno));
extern void __noreturn __netlink_init_error(const char *file, int line, const char *reason);
diff --git a/include/nftables.h b/include/nftables.h
index f239fcf0..7b633905 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -100,12 +100,23 @@ struct mnl_socket;
struct parser_state;
struct scope;
+struct nft_vars {
+ const char *key;
+ const char *value;
+};
+
#define MAX_INCLUDE_DEPTH 16
struct nft_ctx {
struct mnl_socket *nf_sock;
char **include_paths;
unsigned int num_include_paths;
+ struct nft_vars *vars;
+ struct {
+ const char *buf;
+ struct list_head indesc_list;
+ } vars_ctx;
+ unsigned int num_vars;
unsigned int parser_max_errors;
unsigned int debug_mask;
struct output_ctx output;
diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index 765b20dd..8e7151a3 100644
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -78,6 +78,9 @@ const char *nft_ctx_get_error_buffer(struct nft_ctx *ctx);
int nft_ctx_add_include_path(struct nft_ctx *ctx, const char *path);
void nft_ctx_clear_include_paths(struct nft_ctx *ctx);
+int nft_ctx_add_var(struct nft_ctx *ctx, const char *var);
+void nft_ctx_clear_vars(struct nft_ctx *ctx);
+
int nft_run_cmd_from_buffer(struct nft_ctx *nft, const char *buf);
int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename);
diff --git a/include/parser.h b/include/parser.h
index d890ab22..e8635b4c 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -38,14 +38,17 @@ enum startcond_type {
PARSER_SC_IP6,
PARSER_SC_LIMIT,
PARSER_SC_QUOTA,
+ PARSER_SC_SCTP,
PARSER_SC_SECMARK,
PARSER_SC_VLAN,
+ PARSER_SC_CMD_LIST,
PARSER_SC_EXPR_FIB,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_IPSEC,
PARSER_SC_EXPR_NUMGEN,
PARSER_SC_EXPR_QUEUE,
PARSER_SC_EXPR_RT,
+ PARSER_SC_EXPR_SCTP_CHUNK,
PARSER_SC_EXPR_SOCKET,
PARSER_SC_STMT_LOG,
diff --git a/include/proto.h b/include/proto.h
index b9217588..580e4090 100644
--- a/include/proto.h
+++ b/include/proto.h
@@ -227,6 +227,7 @@ enum eth_hdr_fields {
enum vlan_hdr_fields {
VLANHDR_INVALID,
VLANHDR_PCP,
+ VLANHDR_DEI,
VLANHDR_CFI,
VLANHDR_VID,
VLANHDR_TYPE,
diff --git a/include/rule.h b/include/rule.h
index fbd2c9a7..357326a3 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -213,6 +213,11 @@ struct hook_spec {
unsigned int num;
};
+struct chain_type_spec {
+ struct location loc;
+ const char *str;
+};
+
/**
* struct chain - nftables chain
*
@@ -242,7 +247,7 @@ struct chain {
struct prio_spec priority;
struct hook_spec hook;
struct expr *policy;
- const char *type;
+ struct chain_type_spec type;
const char **dev_array;
struct expr *dev_expr;
int dev_array_len;
@@ -639,6 +644,7 @@ enum cmd_obj {
CMD_OBJ_CT_EXPECT,
CMD_OBJ_SYNPROXY,
CMD_OBJ_SYNPROXYS,
+ CMD_OBJ_HOOKS,
};
struct markup {
diff --git a/include/sctp_chunk.h b/include/sctp_chunk.h
new file mode 100644
index 00000000..3819200f
--- /dev/null
+++ b/include/sctp_chunk.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright Red Hat
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 (or any
+ * later) as published by the Free Software Foundation.
+ */
+
+#ifndef NFTABLES_SCTP_CHUNK_H
+#define NFTABLES_SCTP_CHUNK_H
+
+/* SCTP chunk types used on wire */
+enum sctp_hdr_chunk_types {
+ SCTP_CHUNK_TYPE_DATA = 0,
+ SCTP_CHUNK_TYPE_INIT = 1,
+ SCTP_CHUNK_TYPE_INIT_ACK = 2,
+ SCTP_CHUNK_TYPE_SACK = 3,
+ SCTP_CHUNK_TYPE_HEARTBEAT = 4,
+ SCTP_CHUNK_TYPE_HEARTBEAT_ACK = 5,
+ SCTP_CHUNK_TYPE_ABORT = 6,
+ SCTP_CHUNK_TYPE_SHUTDOWN = 7,
+ SCTP_CHUNK_TYPE_SHUTDOWN_ACK = 8,
+ SCTP_CHUNK_TYPE_ERROR = 9,
+ SCTP_CHUNK_TYPE_COOKIE_ECHO = 10,
+ SCTP_CHUNK_TYPE_COOKIE_ACK = 11,
+ SCTP_CHUNK_TYPE_ECNE = 12,
+ SCTP_CHUNK_TYPE_CWR = 13,
+ SCTP_CHUNK_TYPE_SHUTDOWN_COMPLETE = 14,
+ SCTP_CHUNK_TYPE_ASCONF_ACK = 128,
+ SCTP_CHUNK_TYPE_FORWARD_TSN = 192,
+ SCTP_CHUNK_TYPE_ASCONF = 193,
+};
+
+enum sctp_hdr_chunk_common_fields {
+ SCTP_CHUNK_COMMON_TYPE,
+ SCTP_CHUNK_COMMON_FLAGS,
+ SCTP_CHUNK_COMMON_LENGTH,
+ __SCTP_CHUNK_COMMON_MAX,
+};
+
+#define SCTP_CHUNK_START_INDEX __SCTP_CHUNK_COMMON_MAX
+
+enum sctp_hdr_chunk_data_fields {
+ SCTP_CHUNK_DATA_TSN = SCTP_CHUNK_START_INDEX,
+ SCTP_CHUNK_DATA_STREAM,
+ SCTP_CHUNK_DATA_SSN,
+ SCTP_CHUNK_DATA_PPID,
+};
+
+enum sctp_hdr_chunk_init_fields {
+ SCTP_CHUNK_INIT_TAG = SCTP_CHUNK_START_INDEX,
+ SCTP_CHUNK_INIT_RWND,
+ SCTP_CHUNK_INIT_OSTREAMS,
+ SCTP_CHUNK_INIT_ISTREAMS,
+ SCTP_CHUNK_INIT_TSN,
+};
+
+enum sctp_hdr_chunk_sack_fields {
+ SCTP_CHUNK_SACK_CTSN_ACK = SCTP_CHUNK_START_INDEX,
+ SCTP_CHUNK_SACK_RWND,
+ SCTP_CHUNK_SACK_GACK_BLOCKS,
+ SCTP_CHUNK_SACK_DUP_TSNS,
+};
+
+enum sctp_hdr_chunk_shutdown_fields {
+ SCTP_CHUNK_SHUTDOWN_CTSN_ACK = SCTP_CHUNK_START_INDEX,
+};
+
+enum sctp_hdr_chunk_ecne_cwr_fields {
+ SCTP_CHUNK_ECNE_CWR_MIN_TSN = SCTP_CHUNK_START_INDEX,
+};
+
+enum sctp_hdr_chunk_asconf_fields {
+ SCTP_CHUNK_ASCONF_SEQNO = SCTP_CHUNK_START_INDEX,
+};
+
+enum sctp_hdr_chunk_fwd_tsn_fields {
+ SCTP_CHUNK_FORWARD_TSN_NCTSN = SCTP_CHUNK_START_INDEX,
+};
+
+struct expr *sctp_chunk_expr_alloc(const struct location *loc,
+ unsigned int type, unsigned int field);
+void sctp_chunk_init_raw(struct expr *expr, uint8_t type, unsigned int off,
+ unsigned int len, uint32_t flags);
+const struct exthdr_desc *sctp_chunk_protocol_find(const char *name);
+
+#endif /* NFTABLES_SCTP_CHUNK_H */
diff --git a/include/statement.h b/include/statement.h
index 7637a82e..06221040 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -159,7 +159,8 @@ struct queue_stmt {
uint16_t flags;
};
-extern struct stmt *queue_stmt_alloc(const struct location *loc);
+extern struct stmt *queue_stmt_alloc(const struct location *loc,
+ struct expr *e, uint16_t flags);
struct quota_stmt {
uint64_t bytes;
diff --git a/include/utils.h b/include/utils.h
index f45f2513..ffbe2cbb 100644
--- a/include/utils.h
+++ b/include/utils.h
@@ -133,6 +133,7 @@ extern void *xmalloc(size_t size);
extern void *xmalloc_array(size_t nmemb, size_t size);
extern void *xrealloc(void *ptr, size_t size);
extern void *xzalloc(size_t size);
+extern void *xzalloc_array(size_t nmemb, size_t size);
extern char *xstrdup(const char *s);
extern void xstrunescape(const char *in, char *out);
diff --git a/src/Makefile.am b/src/Makefile.am
index 2f6d434b..01c12c81 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -75,6 +75,7 @@ libnftables_la_SOURCES = \
tcpopt.c \
socket.c \
print.c \
+ sctp_chunk.c \
libnftables.c \
libnftables.map
diff --git a/src/cache.c b/src/cache.c
index f59bba03..ff63e59e 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -747,10 +747,12 @@ replay:
ret = nft_cache_init(&ctx, flags);
if (ret < 0) {
- nft_cache_release(cache);
- if (errno == EINTR)
+ if (errno == EINTR) {
+ nft_cache_release(cache);
goto replay;
+ }
+ nft_cache_release(cache);
return -1;
}
diff --git a/src/cmd.c b/src/cmd.c
index f9716fcc..d956919b 100644
--- a/src/cmd.c
+++ b/src/cmd.c
@@ -27,20 +27,46 @@ static int nft_cmd_enoent_table(struct netlink_ctx *ctx, const struct cmd *cmd,
return 1;
}
+static int table_fuzzy_check(struct netlink_ctx *ctx, const struct cmd *cmd,
+ const struct table *table)
+{
+ if (table_cache_find(&ctx->nft->cache.table_cache,
+ cmd->handle.table.name, cmd->handle.family))
+ return 0;
+
+ if (strcmp(cmd->handle.table.name, table->handle.table.name) ||
+ cmd->handle.family != table->handle.family) {
+ netlink_io_error(ctx, &cmd->handle.table.location,
+ "%s; did you mean table ‘%s’ in family %s?",
+ strerror(ENOENT), table->handle.table.name,
+ family2str(table->handle.family));
+ return 1;
+ }
+
+ return 0;
+}
+
static int nft_cmd_enoent_chain(struct netlink_ctx *ctx, const struct cmd *cmd,
const struct location *loc)
{
- const struct table *table;
+ const struct table *table = NULL;
struct chain *chain;
if (!cmd->handle.chain.name)
return 0;
chain = chain_lookup_fuzzy(&cmd->handle, &ctx->nft->cache, &table);
+ /* check table first. */
+ if (!table)
+ return 0;
+
+ if (table_fuzzy_check(ctx, cmd, table))
+ return 1;
+
if (!chain)
return 0;
- netlink_io_error(ctx, loc, "%s; did you mean table ‘%s’ in family %s?",
+ netlink_io_error(ctx, loc, "%s; did you mean chain ‘%s’ in table %s ‘%s’?",
strerror(ENOENT), chain->handle.chain.name,
family2str(table->handle.family),
table->handle.table.name);
@@ -52,24 +78,24 @@ static int nft_cmd_enoent_rule(struct netlink_ctx *ctx, const struct cmd *cmd,
{
unsigned int flags = NFT_CACHE_TABLE |
NFT_CACHE_CHAIN;
- const struct table *table;
+ const struct table *table = NULL;
struct chain *chain;
if (nft_cache_update(ctx->nft, flags, ctx->msgs) < 0)
return 0;
- table = table_lookup_fuzzy(&cmd->handle, &ctx->nft->cache);
- if (table && strcmp(cmd->handle.table.name, table->handle.table.name)) {
- netlink_io_error(ctx, loc, "%s; did you mean table ‘%s’ in family %s?",
- strerror(ENOENT), table->handle.table.name,
- family2str(table->handle.family));
+ chain = chain_lookup_fuzzy(&cmd->handle, &ctx->nft->cache, &table);
+ /* check table first. */
+ if (!table)
+ return 0;
+
+ if (table_fuzzy_check(ctx, cmd, table))
return 1;
- } else if (!table) {
+
+ if (!chain)
return 0;
- }
- chain = chain_lookup_fuzzy(&cmd->handle, &ctx->nft->cache, &table);
- if (chain && strcmp(cmd->handle.chain.name, chain->handle.chain.name)) {
+ if (strcmp(cmd->handle.chain.name, chain->handle.chain.name)) {
netlink_io_error(ctx, loc, "%s; did you mean chain ‘%s’ in table %s ‘%s’?",
strerror(ENOENT),
chain->handle.chain.name,
@@ -84,13 +110,20 @@ static int nft_cmd_enoent_rule(struct netlink_ctx *ctx, const struct cmd *cmd,
static int nft_cmd_enoent_set(struct netlink_ctx *ctx, const struct cmd *cmd,
const struct location *loc)
{
- const struct table *table;
+ const struct table *table = NULL;
struct set *set;
if (!cmd->handle.set.name)
return 0;
set = set_lookup_fuzzy(cmd->handle.set.name, &ctx->nft->cache, &table);
+ /* check table first. */
+ if (!table)
+ return 0;
+
+ if (table_fuzzy_check(ctx, cmd, table))
+ return 1;
+
if (!set)
return 0;
@@ -106,13 +139,20 @@ static int nft_cmd_enoent_set(struct netlink_ctx *ctx, const struct cmd *cmd,
static int nft_cmd_enoent_obj(struct netlink_ctx *ctx, const struct cmd *cmd,
const struct location *loc)
{
- const struct table *table;
+ const struct table *table = NULL;
struct obj *obj;
if (!cmd->handle.obj.name)
return 0;
obj = obj_lookup_fuzzy(cmd->handle.obj.name, &ctx->nft->cache, &table);
+ /* check table first. */
+ if (!table)
+ return 0;
+
+ if (table_fuzzy_check(ctx, cmd, table))
+ return 1;
+
if (!obj)
return 0;
@@ -127,7 +167,7 @@ static int nft_cmd_enoent_flowtable(struct netlink_ctx *ctx,
const struct cmd *cmd,
const struct location *loc)
{
- const struct table *table;
+ const struct table *table = NULL;
struct flowtable *ft;
if (!cmd->handle.flowtable.name)
@@ -135,6 +175,13 @@ static int nft_cmd_enoent_flowtable(struct netlink_ctx *ctx,
ft = flowtable_lookup_fuzzy(cmd->handle.flowtable.name,
&ctx->nft->cache, &table);
+ /* check table first. */
+ if (!table)
+ return 0;
+
+ if (table_fuzzy_check(ctx, cmd, table))
+ return 1;
+
if (!ft)
return 0;
diff --git a/src/datatype.c b/src/datatype.c
index c4e66c46..7267d608 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -1382,9 +1382,10 @@ static void cgroupv2_type_print(const struct expr *expr,
cgroup_path = cgroupv2_get_path(SYSFS_CGROUPSV2_PATH, id);
if (cgroup_path)
- nft_print(octx, "\"%s\"", cgroup_path);
+ nft_print(octx, "\"%s\"",
+ &cgroup_path[strlen(SYSFS_CGROUPSV2_PATH) + 1]);
else
- nft_print(octx, "%lu", id);
+ nft_print(octx, "%" PRIu64, id);
xfree(cgroup_path);
}
diff --git a/src/evaluate.c b/src/evaluate.c
index 2e31ed10..4609576b 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -568,6 +568,7 @@ static int expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **exprp)
switch (expr->exthdr.op) {
case NFT_EXTHDR_OP_TCPOPT:
+ case NFT_EXTHDR_OP_SCTP:
return __expr_evaluate_exthdr(ctx, exprp);
case NFT_EXTHDR_OP_IPV4:
dependency = &proto_ip;
@@ -1018,7 +1019,6 @@ static int expr_evaluate_range(struct eval_ctx *ctx, struct expr **expr)
if (mpz_cmp(left->value, right->value) >= 0)
return expr_error(ctx->msgs, range,
"Range has zero or negative size");
-
datatype_set(range, left->dtype);
range->flags |= EXPR_F_CONSTANT;
return 0;
@@ -1240,8 +1240,7 @@ static int list_member_evaluate(struct eval_ctx *ctx, struct expr **expr)
return err;
}
-static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr,
- bool eval)
+static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
{
const struct datatype *dtype = ctx->ectx.dtype, *tmp;
uint32_t type = dtype ? dtype->type : 0, ntype = 0;
@@ -1270,7 +1269,7 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr,
tmp = concat_subtype_lookup(type, --off);
expr_set_context(&ctx->ectx, tmp, tmp->size);
- if (eval && list_member_evaluate(ctx, &i) < 0)
+ if (list_member_evaluate(ctx, &i) < 0)
return -1;
flags &= i->flags;
@@ -1352,10 +1351,12 @@ static int __expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr *elem)
"but element has %d", num_set_exprs,
num_elem_exprs);
} else if (num_set_exprs == 0) {
- if (!(set->flags & NFT_SET_EVAL))
- return expr_error(ctx->msgs, elem,
- "missing statements in %s definition",
+ if (!(set->flags & NFT_SET_EVAL)) {
+ elem_stmt = list_first_entry(&elem->stmt_list, struct stmt, list);
+ return stmt_error(ctx, elem_stmt,
+ "missing statement in %s declaration",
set_is_map(set->flags) ? "map" : "set");
+ }
return 0;
}
@@ -1413,27 +1414,39 @@ static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr)
return 0;
}
+static const struct expr *expr_set_elem(const struct expr *expr)
+{
+ if (expr->etype == EXPR_MAPPING)
+ return expr->left;
+
+ return expr;
+}
+
static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
{
struct expr *set = *expr, *i, *next;
+ const struct expr *elem;
list_for_each_entry_safe(i, next, &set->expressions, list) {
if (list_member_evaluate(ctx, &i) < 0)
return -1;
- if (i->etype == EXPR_SET_ELEM &&
- i->key->etype == EXPR_SET_REF)
+ elem = expr_set_elem(i);
+
+ if (elem->etype == EXPR_SET_ELEM &&
+ elem->key->etype == EXPR_SET_REF)
return expr_error(ctx->msgs, i,
"Set reference cannot be part of another set");
- if (i->etype == EXPR_SET_ELEM &&
- i->key->etype == EXPR_SET) {
- struct expr *new = expr_clone(i->key);
+ if (elem->etype == EXPR_SET_ELEM &&
+ elem->key->etype == EXPR_SET) {
+ struct expr *new = expr_clone(elem->key);
- set->set_flags |= i->key->set_flags;
+ set->set_flags |= elem->key->set_flags;
list_replace(&i->list, &new->list);
expr_free(i);
i = new;
+ elem = expr_set_elem(i);
}
if (!expr_is_constant(i))
@@ -1449,13 +1462,30 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
expr_free(i);
} else if (!expr_is_singleton(i)) {
set->set_flags |= NFT_SET_INTERVAL;
- if (i->key->etype == EXPR_CONCAT)
+ if (elem->key->etype == EXPR_CONCAT)
set->set_flags |= NFT_SET_CONCAT;
}
}
- if (ctx->set && (ctx->set->flags & NFT_SET_CONCAT))
- set->set_flags |= NFT_SET_CONCAT;
+ if (ctx->set) {
+ if (ctx->set->flags & NFT_SET_CONCAT)
+ set->set_flags |= NFT_SET_CONCAT;
+ } else if (set->size == 1) {
+ i = list_first_entry(&set->expressions, struct expr, list);
+ if (i->etype == EXPR_SET_ELEM) {
+ switch (i->key->etype) {
+ case EXPR_PREFIX:
+ case EXPR_RANGE:
+ case EXPR_VALUE:
+ *expr = i->key;
+ i->key = NULL;
+ expr_free(set);
+ return 0;
+ default:
+ break;
+ }
+ }
+ }
set->set_flags |= NFT_SET_CONSTANT;
@@ -1534,6 +1564,14 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
ctx->set = NULL;
map = *expr;
map->mappings->set->flags |= map->mappings->set->init->set_flags;
+
+ if (map->mappings->set->flags & NFT_SET_INTERVAL &&
+ map->map->etype == EXPR_CONCAT) {
+ memcpy(&map->mappings->set->desc.field_len, &map->map->field_len,
+ sizeof(map->mappings->set->desc.field_len));
+ map->mappings->set->desc.field_count = map->map->field_count;
+ map->mappings->flags |= NFT_SET_CONCAT;
+ }
break;
case EXPR_SYMBOL:
if (expr_evaluate(ctx, &map->mappings) < 0)
@@ -1543,6 +1581,9 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
return expr_error(ctx->msgs, map->mappings,
"Expression is not a map");
break;
+ case EXPR_SET_REF:
+ /* symbol has been already evaluated to set reference */
+ break;
default:
BUG("invalid mapping expression %s\n",
expr_name(map->mappings));
@@ -1566,6 +1607,26 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
return 0;
}
+static bool data_mapping_has_interval(struct expr *data)
+{
+ struct expr *i;
+
+ if (data->etype == EXPR_RANGE ||
+ data->etype == EXPR_PREFIX)
+ return true;
+
+ if (data->etype != EXPR_CONCAT)
+ return false;
+
+ list_for_each_entry(i, &data->expressions, list) {
+ if (i->etype == EXPR_RANGE ||
+ i->etype == EXPR_PREFIX)
+ return true;
+ }
+
+ return false;
+}
+
static int expr_evaluate_mapping(struct eval_ctx *ctx, struct expr **expr)
{
struct expr *mapping = *expr;
@@ -1605,8 +1666,7 @@ static int expr_evaluate_mapping(struct eval_ctx *ctx, struct expr **expr)
"Value must be a constant");
if (set_is_anonymous(set->flags) &&
- (mapping->right->etype == EXPR_RANGE ||
- mapping->right->etype == EXPR_PREFIX))
+ data_mapping_has_interval(mapping->right))
set->data->flags |= EXPR_F_INTERVAL;
if (!(set->data->flags & EXPR_F_INTERVAL) &&
@@ -1639,17 +1699,20 @@ static void expr_dtype_integer_compatible(struct eval_ctx *ctx,
static int expr_evaluate_numgen(struct eval_ctx *ctx, struct expr **exprp)
{
struct expr *expr = *exprp;
+ unsigned int maxval;
expr_dtype_integer_compatible(ctx, expr);
+ maxval = expr->numgen.mod + expr->numgen.offset - 1;
__expr_set_context(&ctx->ectx, expr->dtype, expr->byteorder, expr->len,
- expr->numgen.mod - 1);
+ maxval);
return 0;
}
static int expr_evaluate_hash(struct eval_ctx *ctx, struct expr **exprp)
{
struct expr *expr = *exprp;
+ unsigned int maxval;
expr_dtype_integer_compatible(ctx, expr);
@@ -1662,8 +1725,9 @@ static int expr_evaluate_hash(struct eval_ctx *ctx, struct expr **exprp)
* expression to be hashed. Since this input is transformed to a 4 bytes
* integer, restore context to the datatype that results from hashing.
*/
+ maxval = expr->hash.mod + expr->hash.offset - 1;
__expr_set_context(&ctx->ectx, expr->dtype, expr->byteorder, expr->len,
- expr->hash.mod - 1);
+ maxval);
return 0;
}
@@ -1732,8 +1796,6 @@ static int binop_transfer_one(struct eval_ctx *ctx,
return 0;
}
- expr_get(*right);
-
switch (left->op) {
case OP_LSHIFT:
(*right) = binop_expr_alloc(&(*right)->location, OP_RSHIFT,
@@ -2134,6 +2196,25 @@ static int expr_evaluate_xfrm(struct eval_ctx *ctx, struct expr **exprp)
return expr_evaluate_primary(ctx, exprp);
}
+static int expr_evaluate_flagcmp(struct eval_ctx *ctx, struct expr **exprp)
+{
+ struct expr *expr = *exprp, *binop, *rel;
+
+ if (expr->op != OP_EQ &&
+ expr->op != OP_NEQ)
+ return expr_error(ctx->msgs, expr, "either == or != is allowed");
+
+ binop = binop_expr_alloc(&expr->location, OP_AND,
+ expr_get(expr->flagcmp.expr),
+ expr_get(expr->flagcmp.mask));
+ rel = relational_expr_alloc(&expr->location, expr->op, binop,
+ expr_get(expr->flagcmp.value));
+ expr_free(expr);
+ *exprp = rel;
+
+ return expr_evaluate(ctx, exprp);
+}
+
static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
{
if (ctx->nft->debug_mask & NFT_DEBUG_EVALUATION) {
@@ -2182,7 +2263,7 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
case EXPR_BINOP:
return expr_evaluate_binop(ctx, expr);
case EXPR_CONCAT:
- return expr_evaluate_concat(ctx, expr, true);
+ return expr_evaluate_concat(ctx, expr);
case EXPR_LIST:
return expr_evaluate_list(ctx, expr);
case EXPR_SET:
@@ -2203,6 +2284,8 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
return expr_evaluate_xfrm(ctx, expr);
case EXPR_SET_ELEM_CATCHALL:
return 0;
+ case EXPR_FLAGCMP:
+ return expr_evaluate_flagcmp(ctx, expr);
default:
BUG("unknown expression type %s\n", expr_name(*expr));
}
@@ -2916,9 +2999,10 @@ static int nat_evaluate_family(struct eval_ctx *ctx, struct stmt *stmt)
stmt->nat.family = ctx->pctx.family;
return 0;
case NFPROTO_INET:
- if (!stmt->nat.addr)
+ if (!stmt->nat.addr) {
+ stmt->nat.family = NFPROTO_INET;
return 0;
-
+ }
if (stmt->nat.family != NFPROTO_UNSPEC)
return 0;
@@ -3078,6 +3162,9 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
return 0;
data = stmt->nat.addr->mappings->set->data;
+ if (data->flags & EXPR_F_INTERVAL)
+ stmt->nat.type_flags |= STMT_NAT_F_INTERVAL;
+
datatype_set(data, dtype);
if (expr_ops(data)->type != EXPR_CONCAT)
@@ -3113,6 +3200,40 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
return err;
}
+static bool nat_concat_map(struct eval_ctx *ctx, struct stmt *stmt)
+{
+ struct expr *i;
+
+ if (stmt->nat.addr->etype != EXPR_MAP)
+ return false;
+
+ switch (stmt->nat.addr->mappings->etype) {
+ case EXPR_SET:
+ list_for_each_entry(i, &stmt->nat.addr->mappings->expressions, list) {
+ if (i->etype == EXPR_MAPPING &&
+ i->right->etype == EXPR_CONCAT) {
+ stmt->nat.type_flags |= STMT_NAT_F_CONCAT;
+ return true;
+ }
+ }
+ break;
+ case EXPR_SYMBOL:
+ /* expr_evaluate_map() see EXPR_SET_REF after this evaluation. */
+ if (expr_evaluate(ctx, &stmt->nat.addr->mappings))
+ return false;
+
+ if (stmt->nat.addr->mappings->set->data->etype == EXPR_CONCAT) {
+ stmt->nat.type_flags |= STMT_NAT_F_CONCAT;
+ return true;
+ }
+ break;
+ default:
+ break;
+ }
+
+ return false;
+}
+
static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt)
{
int err;
@@ -3126,7 +3247,9 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt)
if (err < 0)
return err;
- if (stmt->nat.type_flags & STMT_NAT_F_CONCAT) {
+ if (nat_concat_map(ctx, stmt) ||
+ stmt->nat.type_flags & STMT_NAT_F_CONCAT) {
+
err = stmt_evaluate_nat_map(ctx, stmt);
if (err < 0)
return err;
@@ -3141,26 +3264,6 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt)
return err;
}
- if (stmt->nat.type_flags & STMT_NAT_F_INTERVAL) {
- switch (stmt->nat.addr->etype) {
- case EXPR_MAP:
- if (!(stmt->nat.addr->mappings->set->data->flags & EXPR_F_INTERVAL))
- return expr_error(ctx->msgs, stmt->nat.addr,
- "map is not defined as interval");
- break;
- case EXPR_RANGE:
- case EXPR_PREFIX:
- break;
- default:
- return expr_error(ctx->msgs, stmt->nat.addr,
- "neither prefix, range nor map expression");
- }
-
- stmt->flags |= STMT_F_TERMINAL;
-
- return 0;
- }
-
if (stmt->nat.proto != NULL) {
err = nat_evaluate_transport(ctx, stmt, &stmt->nat.proto);
if (err < 0)
@@ -3385,14 +3488,16 @@ static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt)
BYTEORDER_HOST_ENDIAN,
&stmt->queue.queue) < 0)
return -1;
- if (!expr_is_constant(stmt->queue.queue))
- return expr_error(ctx->msgs, stmt->queue.queue,
- "queue number is not constant");
- if (stmt->queue.queue->etype != EXPR_RANGE &&
- (stmt->queue.flags & NFT_QUEUE_FLAG_CPU_FANOUT))
+
+ if ((stmt->queue.flags & NFT_QUEUE_FLAG_CPU_FANOUT) &&
+ stmt->queue.queue->etype != EXPR_RANGE)
return expr_error(ctx->msgs, stmt->queue.queue,
"fanout requires a range to be "
"specified");
+
+ if (ctx->ectx.maxval > USHRT_MAX)
+ return expr_error(ctx->msgs, stmt->queue.queue,
+ "queue expression max value exceeds %u", USHRT_MAX);
}
stmt->flags |= STMT_F_TERMINAL;
return 0;
@@ -3735,6 +3840,45 @@ static int set_key_data_error(struct eval_ctx *ctx, const struct set *set,
dtype->name, name, hint);
}
+static int set_expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
+{
+ unsigned int flags = EXPR_F_CONSTANT | EXPR_F_SINGLETON;
+ struct expr *i, *next;
+ uint32_t ntype = 0;
+
+ list_for_each_entry_safe(i, next, &(*expr)->expressions, list) {
+ unsigned dsize_bytes;
+
+ if (i->etype == EXPR_CT &&
+ (i->ct.key == NFT_CT_SRC ||
+ i->ct.key == NFT_CT_DST))
+ return expr_error(ctx->msgs, i,
+ "specify either ip or ip6 for address matching");
+
+ if (i->dtype->size == 0)
+ return expr_binary_error(ctx->msgs, i, *expr,
+ "can not use variable sized "
+ "data types (%s) in concat "
+ "expressions",
+ i->dtype->name);
+
+ flags &= i->flags;
+
+ ntype = concat_subtype_add(ntype, i->dtype->type);
+
+ dsize_bytes = div_round_up(i->dtype->size, BITS_PER_BYTE);
+ (*expr)->field_len[(*expr)->field_count++] = dsize_bytes;
+ }
+
+ (*expr)->flags |= flags;
+ datatype_set(*expr, concat_type_alloc(ntype));
+ (*expr)->len = (*expr)->dtype->size;
+
+ expr_set_context(&ctx->ectx, (*expr)->dtype, (*expr)->len);
+
+ return 0;
+}
+
static int set_evaluate(struct eval_ctx *ctx, struct set *set)
{
unsigned int num_stmts = 0;
@@ -3742,15 +3886,16 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
struct stmt *stmt;
const char *type;
- table = table_cache_find(&ctx->nft->cache.table_cache,
- ctx->cmd->handle.table.name,
- ctx->cmd->handle.family);
- if (table == NULL)
- return table_not_found(ctx);
+ if (!set_is_anonymous(set->flags)) {
+ table = table_cache_find(&ctx->nft->cache.table_cache,
+ set->handle.table.name,
+ set->handle.family);
+ if (table == NULL)
+ return table_not_found(ctx);
- if (!(set->flags & NFT_SET_ANONYMOUS) &&
- !set_cache_find(table, set->handle.set.name))
- set_cache_add(set_get(set), table);
+ if (!set_cache_find(table, set->handle.set.name))
+ set_cache_add(set_get(set), table);
+ }
if (!(set->flags & NFT_SET_INTERVAL) && set->automerge)
return set_error(ctx, set, "auto-merge only works with interval sets");
@@ -3763,7 +3908,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
if (set->key->len == 0) {
if (set->key->etype == EXPR_CONCAT &&
- expr_evaluate_concat(ctx, &set->key, false) < 0)
+ set_expr_evaluate_concat(ctx, &set->key) < 0)
return -1;
if (set->key->len == 0)
@@ -3783,13 +3928,13 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
return set_error(ctx, set, "map definition does not "
"specify mapping data type");
- if (set->data->flags & EXPR_F_INTERVAL)
- set->data->len *= 2;
-
if (set->data->etype == EXPR_CONCAT &&
- expr_evaluate_concat(ctx, &set->data, false) < 0)
+ set_expr_evaluate_concat(ctx, &set->data) < 0)
return -1;
+ if (set->data->flags & EXPR_F_INTERVAL)
+ set->data->len *= 2;
+
if (set->data->len == 0 && set->data->dtype->type != TYPE_VERDICT)
return set_key_data_error(ctx, set,
set->data->dtype, type);
@@ -3827,9 +3972,6 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
}
ctx->set = NULL;
- if (set_cache_find(table, set->handle.set.name) == NULL)
- set_cache_add(set_get(set), table);
-
return 0;
}
@@ -4106,6 +4248,7 @@ static uint32_t str2hooknum(uint32_t family, const char *hook)
case NFPROTO_INET:
if (!strcmp(hook, "ingress"))
return NF_INET_INGRESS;
+ /* fall through */
case NFPROTO_IPV4:
case NFPROTO_BRIDGE:
case NFPROTO_IPV6:
@@ -4680,6 +4823,16 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_METERS:
case CMD_OBJ_MAPS:
return 0;
+ case CMD_OBJ_HOOKS:
+ if (cmd->handle.chain.name) {
+ int hooknum = str2hooknum(cmd->handle.family, cmd->handle.chain.name);
+
+ if (hooknum == NF_INET_NUMHOOKS)
+ return chain_not_found(ctx);
+
+ cmd->handle.chain_id = hooknum;
+ }
+ return 0;
default:
BUG("invalid command object type %u\n", cmd->obj);
}
diff --git a/src/expression.c b/src/expression.c
index b3400751..c6be0001 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -135,9 +135,12 @@ void expr_describe(const struct expr *expr, struct output_ctx *octx)
nft_print(octx, "datatype %s (%s)",
dtype->name, dtype->desc);
len = dtype->size;
- } else {
+ } else if (dtype != &invalid_type) {
nft_print(octx, "%s expression, datatype %s (%s)",
expr_name(expr), dtype->name, dtype->desc);
+ } else {
+ nft_print(octx, "datatype %s is invalid\n", expr->identifier);
+ return;
}
if (dtype->basetype != NULL) {
@@ -1338,6 +1341,7 @@ static const struct expr_ops set_elem_catchall_expr_ops = {
.type = EXPR_SET_ELEM_CATCHALL,
.name = "catch-all set element",
.print = set_elem_catchall_expr_print,
+ .json = set_elem_catchall_expr_json,
};
struct expr *set_elem_catchall_expr_alloc(const struct location *loc)
@@ -1351,6 +1355,56 @@ struct expr *set_elem_catchall_expr_alloc(const struct location *loc)
return expr;
}
+static void flagcmp_expr_print(const struct expr *expr, struct output_ctx *octx)
+{
+ expr_print(expr->flagcmp.expr, octx);
+ nft_print(octx, " ");
+ expr_print(expr->flagcmp.value, octx);
+ nft_print(octx, " / ");
+ expr_print(expr->flagcmp.mask, octx);
+}
+
+static void flagcmp_expr_clone(struct expr *new, const struct expr *expr)
+{
+ new->flagcmp.expr = expr_clone(expr->flagcmp.expr);
+ new->flagcmp.mask = expr_clone(expr->flagcmp.mask);
+ new->flagcmp.value = expr_clone(expr->flagcmp.value);
+}
+
+static void flagcmp_expr_destroy(struct expr *expr)
+{
+ expr_free(expr->flagcmp.expr);
+ expr_free(expr->flagcmp.mask);
+ expr_free(expr->flagcmp.value);
+}
+
+static const struct expr_ops flagcmp_expr_ops = {
+ .type = EXPR_FLAGCMP,
+ .name = "flags comparison",
+ .print = flagcmp_expr_print,
+ .json = flagcmp_expr_json,
+ .clone = flagcmp_expr_clone,
+ .destroy = flagcmp_expr_destroy,
+};
+
+struct expr *flagcmp_expr_alloc(const struct location *loc, enum ops op,
+ struct expr *match, struct expr *mask,
+ struct expr *value)
+{
+ struct expr *expr;
+
+ expr = expr_alloc(loc, EXPR_FLAGCMP, match->dtype, match->byteorder,
+ match->len);
+ expr->op = op;
+ expr->flagcmp.expr = match;
+ expr->flagcmp.mask = mask;
+ /* json output needs this operation for compatibility */
+ expr->flagcmp.mask->op = OP_OR;
+ expr->flagcmp.value = value;
+
+ return expr;
+}
+
void range_expr_value_low(mpz_t rop, const struct expr *expr)
{
switch (expr->etype) {
@@ -1427,6 +1481,7 @@ static const struct expr_ops *__expr_ops_by_type(enum expr_types etype)
case EXPR_FIB: return &fib_expr_ops;
case EXPR_XFRM: return &xfrm_expr_ops;
case EXPR_SET_ELEM_CATCHALL: return &set_elem_catchall_expr_ops;
+ case EXPR_FLAGCMP: return &flagcmp_expr_ops;
}
BUG("Unknown expression type %d\n", etype);
diff --git a/src/exthdr.c b/src/exthdr.c
index b0243ada..22a08b0c 100644
--- a/src/exthdr.c
+++ b/src/exthdr.c
@@ -22,6 +22,7 @@
#include <headers.h>
#include <expression.h>
#include <statement.h>
+#include <sctp_chunk.h>
static const struct exthdr_desc *exthdr_definitions[PROTO_DESC_MAX + 1] = {
[EXTHDR_DESC_HBH] = &exthdr_hbh,
@@ -75,6 +76,11 @@ static void exthdr_expr_print(const struct expr *expr, struct output_ctx *octx)
if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)
return;
nft_print(octx, " %s", expr->exthdr.tmpl->token);
+ } else if (expr->exthdr.op == NFT_EXTHDR_OP_SCTP) {
+ nft_print(octx, "sctp chunk %s", expr->exthdr.desc->name);
+ if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)
+ return;
+ nft_print(octx, " %s", expr->exthdr.tmpl->token);
} else {
if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)
nft_print(octx, "exthdr %s", expr->exthdr.desc->name);
@@ -291,6 +297,8 @@ void exthdr_init_raw(struct expr *expr, uint8_t type,
return tcpopt_init_raw(expr, type, offset, len, flags);
if (op == NFT_EXTHDR_OP_IPV4)
return ipopt_init_raw(expr, type, offset, len, flags, true);
+ if (op == NFT_EXTHDR_OP_SCTP)
+ return sctp_chunk_init_raw(expr, type, offset, len, flags);
expr->len = len;
expr->exthdr.flags = flags;
diff --git a/src/json.c b/src/json.c
index b4197b2f..63b325af 100644
--- a/src/json.c
+++ b/src/json.c
@@ -1,4 +1,5 @@
#define _GNU_SOURCE
+#include <stdio.h>
#include <string.h>
#include <expression.h>
@@ -42,7 +43,8 @@ static json_t *expr_print_json(const struct expr *expr, struct output_ctx *octx)
if (ops->json)
return ops->json(expr, octx);
- printf("warning: expr ops %s have no json callback\n", expr_name(expr));
+ fprintf(stderr, "warning: expr ops %s have no json callback\n",
+ expr_name(expr));
fp = octx->output_fp;
octx->output_fp = fmemopen(buf, 1024, "w");
@@ -180,8 +182,8 @@ static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx)
if (stmt->ops->json)
return stmt->ops->json(stmt, octx);
- printf("warning: stmt ops %s have no json callback\n",
- stmt->ops->name);
+ fprintf(stderr, "warning: stmt ops %s have no json callback\n",
+ stmt->ops->name);
fp = octx->output_fp;
octx->output_fp = fmemopen(buf, 1024, "w");
@@ -241,7 +243,7 @@ static json_t *chain_print_json(const struct chain *chain)
mpz_export_data(&policy, chain->policy->value,
BYTEORDER_HOST_ENDIAN, sizeof(int));
tmp = json_pack("{s:s, s:s, s:i, s:s}",
- "type", chain->type,
+ "type", chain->type.str,
"hook", hooknum2str(chain->handle.family,
chain->hook.num),
"prio", priority,
@@ -479,6 +481,20 @@ static json_t *table_print_json(const struct table *table)
return json_pack("{s:o}", "table", root);
}
+json_t *flagcmp_expr_json(const struct expr *expr, struct output_ctx *octx)
+{
+ json_t *left;
+
+ left = json_pack("{s:[o, o]}", expr_op_symbols[OP_AND],
+ expr_print_json(expr->flagcmp.expr, octx),
+ expr_print_json(expr->flagcmp.mask, octx));
+
+ return json_pack("{s:{s:s, s:o, s:o}}", "match",
+ "op", expr_op_symbols[expr->op] ? : "in",
+ "left", left,
+ "right", expr_print_json(expr->flagcmp.value, octx));
+}
+
json_t *binop_expr_json(const struct expr *expr, struct output_ctx *octx)
{
return json_pack("{s:[o, o]}", expr_op_symbols[expr->op],
@@ -692,26 +708,23 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx)
"base", expr->exthdr.raw_type,
"offset", expr->exthdr.offset,
"len", expr->len);
- is_exists = false;
}
return json_pack("{s:o}", "tcp option", root);
}
- if (expr->exthdr.op == NFT_EXTHDR_OP_IPV4) {
- root = json_pack("{s:s}", "name", desc);
- if (!is_exists)
- json_object_set_new(root, "field", json_string(field));
-
- return json_pack("{s:o}", "ip option", root);
- }
-
- root = json_pack("{s:s}",
- "name", desc);
+ root = json_pack("{s:s}", "name", desc);
if (!is_exists)
json_object_set_new(root, "field", json_string(field));
- return json_pack("{s:o}", "exthdr", root);
+ switch (expr->exthdr.op) {
+ case NFT_EXTHDR_OP_IPV4:
+ return json_pack("{s:o}", "ip option", root);
+ case NFT_EXTHDR_OP_SCTP:
+ return json_pack("{s:o}", "sctp chunk", root);
+ default:
+ return json_pack("{s:o}", "exthdr", root);
+ }
}
json_t *verdict_expr_json(const struct expr *expr, struct output_ctx *octx)
@@ -877,6 +890,11 @@ static json_t *symbolic_constant_json(const struct symbol_table *tbl,
return json_string(s->identifier);
}
+json_t *set_elem_catchall_expr_json(const struct expr *expr, struct output_ctx *octx)
+{
+ return json_string("*");
+}
+
static json_t *datatype_json(const struct expr *expr, struct output_ctx *octx)
{
const struct datatype *dtype = expr->dtype;
@@ -1311,12 +1329,8 @@ static json_t *nat_type_flags_json(uint32_t type_flags)
{
json_t *array = json_array();
- if (type_flags & STMT_NAT_F_INTERVAL)
- json_array_append_new(array, json_string("interval"));
if (type_flags & STMT_NAT_F_PREFIX)
json_array_append_new(array, json_string("prefix"));
- if (type_flags & STMT_NAT_F_CONCAT)
- json_array_append_new(array, json_string("concat"));
return array;
}
diff --git a/src/libnftables.c b/src/libnftables.c
index e080eb03..aa6493aa 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -89,6 +89,12 @@ static int nft_netlink(struct nft_ctx *nft,
last_seqnum = UINT32_MAX;
}
}
+ /* nfnetlink uses the first netlink message header in the batch whose
+ * sequence number is zero to report for EOPNOTSUPP and EPERM errors in
+ * some scenarios. Now it is safe to release pending errors here.
+ */
+ list_for_each_entry_safe(err, tmp, &err_list, head)
+ mnl_err_list_free(err);
out:
mnl_batch_reset(ctx.batch);
return ret;
@@ -113,6 +119,45 @@ static void nft_exit(struct nft_ctx *ctx)
mark_table_exit(ctx);
}
+EXPORT_SYMBOL(nft_ctx_add_var);
+int nft_ctx_add_var(struct nft_ctx *ctx, const char *var)
+{
+ char *separator = strchr(var, '=');
+ int pcount = ctx->num_vars;
+ struct nft_vars *tmp;
+ const char *value;
+
+ if (!separator)
+ return -1;
+
+ tmp = realloc(ctx->vars, (pcount + 1) * sizeof(struct nft_vars));
+ if (!tmp)
+ return -1;
+
+ *separator = '\0';
+ value = separator + 1;
+
+ ctx->vars = tmp;
+ ctx->vars[pcount].key = xstrdup(var);
+ ctx->vars[pcount].value = xstrdup(value);
+ ctx->num_vars++;
+
+ return 0;
+}
+
+EXPORT_SYMBOL(nft_ctx_clear_vars);
+void nft_ctx_clear_vars(struct nft_ctx *ctx)
+{
+ unsigned int i;
+
+ for (i = 0; i < ctx->num_vars; i++) {
+ xfree(ctx->vars[i].key);
+ xfree(ctx->vars[i].value);
+ }
+ ctx->num_vars = 0;
+ xfree(ctx->vars);
+}
+
EXPORT_SYMBOL(nft_ctx_add_include_path);
int nft_ctx_add_include_path(struct nft_ctx *ctx, const char *path)
{
@@ -172,6 +217,7 @@ struct nft_ctx *nft_ctx_new(uint32_t flags)
ctx->flags = flags;
ctx->output.output_fp = stdout;
ctx->output.error_fp = stderr;
+ init_list_head(&ctx->vars_ctx.indesc_list);
if (flags == NFT_CTX_DEFAULT)
nft_ctx_netlink_init(ctx);
@@ -305,6 +351,7 @@ void nft_ctx_free(struct nft_ctx *ctx)
exit_cookie(&ctx->output.error_cookie);
iface_cache_release();
nft_cache_release(&ctx->cache);
+ nft_ctx_clear_vars(ctx);
nft_ctx_clear_include_paths(ctx);
scope_free(ctx->top_scope);
xfree(ctx->state);
@@ -501,6 +548,47 @@ err:
return rc;
}
+static int load_cmdline_vars(struct nft_ctx *ctx, struct list_head *msgs)
+{
+ unsigned int bufsize, ret, i, offset = 0;
+ LIST_HEAD(cmds);
+ char *buf;
+ int rc;
+
+ if (ctx->num_vars == 0)
+ return 0;
+
+ bufsize = 1024;
+ buf = xzalloc(bufsize + 1);
+ for (i = 0; i < ctx->num_vars; i++) {
+retry:
+ ret = snprintf(buf + offset, bufsize - offset,
+ "define %s=%s; ",
+ ctx->vars[i].key, ctx->vars[i].value);
+ if (ret >= bufsize - offset) {
+ bufsize *= 2;
+ buf = xrealloc(buf, bufsize + 1);
+ goto retry;
+ }
+ offset += ret;
+ }
+ snprintf(buf + offset, bufsize - offset, "\n");
+
+ rc = nft_parse_bison_buffer(ctx, buf, msgs, &cmds);
+
+ assert(list_empty(&cmds));
+ /* Stash the buffer that contains the variable definitions and zap the
+ * list of input descriptors before releasing the scanner state,
+ * otherwise error reporting path walks over released objects.
+ */
+ ctx->vars_ctx.buf = buf;
+ list_splice_init(&ctx->state->indesc_list, &ctx->vars_ctx.indesc_list);
+ scanner_destroy(ctx);
+ ctx->scanner = NULL;
+
+ return rc;
+}
+
EXPORT_SYMBOL(nft_run_cmd_from_filename);
int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename)
{
@@ -509,6 +597,10 @@ int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename)
LIST_HEAD(msgs);
LIST_HEAD(cmds);
+ rc = load_cmdline_vars(nft, &msgs);
+ if (rc < 0)
+ goto err;
+
if (!strcmp(filename, "-"))
filename = "/dev/stdin";
@@ -542,6 +634,17 @@ err:
scanner_destroy(nft);
nft->scanner = NULL;
}
+ if (!list_empty(&nft->vars_ctx.indesc_list)) {
+ struct input_descriptor *indesc, *next;
+
+ list_for_each_entry_safe(indesc, next, &nft->vars_ctx.indesc_list, list) {
+ if (indesc->name)
+ xfree(indesc->name);
+
+ xfree(indesc);
+ }
+ }
+ xfree(nft->vars_ctx.buf);
if (!rc &&
nft_output_json(&nft->output) &&
diff --git a/src/libnftables.map b/src/libnftables.map
index 955af380..d3a795ce 100644
--- a/src/libnftables.map
+++ b/src/libnftables.map
@@ -1,7 +1,7 @@
LIBNFTABLES_1 {
global:
nft_ctx_add_include_path;
- nft_ctx_clear_include_pat;
+ nft_ctx_clear_include_paths;
nft_ctx_new;
nft_ctx_buffer_output;
nft_ctx_unbuffer_output;
@@ -23,3 +23,8 @@ global:
local: *;
};
+
+LIBNFTABLES_2 {
+ nft_ctx_add_var;
+ nft_ctx_clear_vars;
+} LIBNFTABLES_1;
diff --git a/src/main.c b/src/main.c
index 8c470644..21096fc7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -32,6 +32,7 @@ enum opt_indices {
/* Ruleset input handling */
IDX_FILE,
#define IDX_RULESET_INPUT_START IDX_FILE
+ IDX_DEFINE,
IDX_INTERACTIVE,
IDX_INCLUDEPATH,
IDX_CHECK,
@@ -63,6 +64,7 @@ enum opt_vals {
OPT_VERSION_LONG = 'V',
OPT_CHECK = 'c',
OPT_FILE = 'f',
+ OPT_DEFINE = 'D',
OPT_INTERACTIVE = 'i',
OPT_INCLUDEPATH = 'I',
OPT_JSON = 'j',
@@ -100,6 +102,8 @@ static const struct nft_opt nft_options[] = {
"Show extended version information"),
[IDX_FILE] = NFT_OPT("file", OPT_FILE, "<filename>",
"Read input from <filename>"),
+ [IDX_DEFINE] = NFT_OPT("define", OPT_DEFINE, "<name=value>",
+ "Define variable, e.g. --define foo=1.2.3.4"),
[IDX_INTERACTIVE] = NFT_OPT("interactive", OPT_INTERACTIVE, NULL,
"Read input from interactive CLI"),
[IDX_INCLUDEPATH] = NFT_OPT("includepath", OPT_INCLUDEPATH, "<directory>",
@@ -332,8 +336,10 @@ static bool nft_options_check(int argc, char * const argv[])
} else if (argv[i][1] == 'd' ||
argv[i][1] == 'I' ||
argv[i][1] == 'f' ||
+ argv[i][1] == 'D' ||
!strcmp(argv[i], "--debug") ||
!strcmp(argv[i], "--includepath") ||
+ !strcmp(argv[i], "--define") ||
!strcmp(argv[i], "--file")) {
skip = true;
continue;
@@ -349,10 +355,10 @@ static bool nft_options_check(int argc, char * const argv[])
int main(int argc, char * const *argv)
{
const struct option *options = get_options();
+ bool interactive = false, define = false;
const char *optstring = get_optstring();
char *buf = NULL, *filename = NULL;
unsigned int output_flags = 0;
- bool interactive = false;
unsigned int debug_mask;
unsigned int len;
int i, val, rc;
@@ -378,6 +384,15 @@ int main(int argc, char * const *argv)
case OPT_VERSION_LONG:
show_version();
exit(EXIT_SUCCESS);
+ case OPT_DEFINE:
+ if (nft_ctx_add_var(nft, optarg)) {
+ fprintf(stderr,
+ "Failed to define variable '%s'\n",
+ optarg);
+ exit(EXIT_FAILURE);
+ }
+ define = true;
+ break;
case OPT_CHECK:
nft_ctx_set_dry_run(nft, true);
break;
@@ -470,6 +485,11 @@ int main(int argc, char * const *argv)
}
}
+ if (!filename && define) {
+ fprintf(stderr, "Error: -D/--define can only be used with -f/--filename\n");
+ exit(EXIT_FAILURE);
+ }
+
nft_ctx_output_set_flags(nft, output_flags);
if (optind != argc) {
diff --git a/src/meta.c b/src/meta.c
index 73d58b1f..fdbeba26 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -408,7 +408,7 @@ static void date_type_print(const struct expr *expr, struct output_ctx *octx)
* Do our own printing. The default print function will print in
* nanoseconds, which is ugly.
*/
- nft_print(octx, "%lu", tstamp);
+ nft_print(octx, "%" PRIu64, tstamp);
}
static time_t parse_iso_date(const char *sym)
diff --git a/src/mnl.c b/src/mnl.c
index 1a8e8105..f28d6605 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -22,6 +22,7 @@
#include <libnftnl/udata.h>
#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nfnetlink_hook.h>
#include <linux/netfilter/nf_tables.h>
#include <mnl.h>
@@ -34,6 +35,17 @@
#include <stdlib.h>
#include <utils.h>
#include <nftables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_arp.h>
+
+struct basehook {
+ struct list_head list;
+ const char *module_name;
+ const char *hookfn;
+ const char *table;
+ const char *chain;
+ int prio;
+};
struct mnl_socket *nft_mnl_socket_open(void)
{
@@ -698,7 +710,7 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
BYTEORDER_HOST_ENDIAN, sizeof(int));
nftnl_chain_set_s32(nlc, NFTNL_CHAIN_PRIO, priority);
nftnl_chain_set_str(nlc, NFTNL_CHAIN_TYPE,
- cmd->chain->type);
+ cmd->chain->type.str);
}
if (cmd->chain->dev_expr) {
dev_array = xmalloc(sizeof(char *) * 8);
@@ -764,6 +776,12 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
nftnl_chain_set_u32(nlc, NFTNL_CHAIN_FLAGS, cmd->chain->flags);
}
+ if (cmd->chain && cmd->chain->flags & CHAIN_F_BASECHAIN) {
+ nftnl_chain_unset(nlc, NFTNL_CHAIN_TYPE);
+ cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->chain->type.loc);
+ mnl_attr_put_strz(nlh, NFTA_CHAIN_TYPE, cmd->chain->type.str);
+ }
+
if (cmd->chain && cmd->chain->policy) {
mpz_export_data(&policy, cmd->chain->policy->value,
BYTEORDER_HOST_ENDIAN, sizeof(int));
@@ -1027,7 +1045,7 @@ static void set_key_expression(struct netlink_ctx *ctx,
struct nftnl_udata *nest1, *nest2;
if (expr->flags & EXPR_F_CONSTANT ||
- set_flags & NFT_SET_ANONYMOUS ||
+ set_is_anonymous(set_flags) ||
!expr_ops(expr)->build_udata)
return;
@@ -1868,7 +1886,7 @@ int mnl_nft_event_listener(struct mnl_socket *nf_sock, unsigned int debug_mask,
void *cb_data)
{
/* Set netlink socket buffer size to 16 Mbytes to reduce chances of
- * message loss due to ENOBUFS.
+ * message loss due to ENOBUFS.
*/
unsigned int bufsiz = NFTABLES_NLEVENT_BUFSIZ;
int fd = mnl_socket_get_fd(nf_sock);
@@ -1912,3 +1930,317 @@ int mnl_nft_event_listener(struct mnl_socket *nf_sock, unsigned int debug_mask,
}
return ret;
}
+
+static struct basehook *basehook_alloc(void)
+{
+ return xzalloc(sizeof(struct basehook));
+}
+
+static void basehook_free(struct basehook *b)
+{
+ list_del(&b->list);
+ xfree(b->module_name);
+ xfree(b->hookfn);
+ xfree(b->chain);
+ xfree(b->table);
+ xfree(b);
+}
+
+static void basehook_list_add_tail(struct basehook *b, struct list_head *head)
+{
+ list_add_tail(&b->list, head);
+}
+
+static int dump_nf_attr_cb(const struct nlattr *attr, void *data)
+{
+ int type = mnl_attr_get_type(attr);
+ const struct nlattr **tb = data;
+
+ if (mnl_attr_type_valid(attr, NFNLA_HOOK_MAX) < 0)
+ return MNL_CB_OK;
+
+ switch(type) {
+ case NFNLA_HOOK_HOOKNUM:
+ case NFNLA_HOOK_PRIORITY:
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ return MNL_CB_ERROR;
+ break;
+ case NFNLA_HOOK_DEV:
+ if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0)
+ return MNL_CB_ERROR;
+ break;
+ case NFNLA_HOOK_MODULE_NAME:
+ case NFNLA_HOOK_FUNCTION_NAME:
+ if (mnl_attr_validate(attr, MNL_TYPE_NUL_STRING) < 0)
+ return MNL_CB_ERROR;
+ break;
+ case NFNLA_HOOK_CHAIN_INFO:
+ if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0)
+ return MNL_CB_ERROR;
+ break;
+ default:
+ return MNL_CB_OK;
+ }
+
+ tb[type] = attr;
+ return MNL_CB_OK;
+}
+
+static int dump_nf_chain_info_cb(const struct nlattr *attr, void *data)
+{
+ int type = mnl_attr_get_type(attr);
+ const struct nlattr **tb = data;
+
+ if (mnl_attr_type_valid(attr, NFNLA_HOOK_INFO_MAX) < 0)
+ return MNL_CB_OK;
+
+ switch(type) {
+ case NFNLA_HOOK_INFO_DESC:
+ if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0)
+ return MNL_CB_ERROR;
+ break;
+ case NFNLA_HOOK_INFO_TYPE:
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ return MNL_CB_ERROR;
+ break;
+ default:
+ return MNL_CB_OK;
+ }
+
+ tb[type] = attr;
+ return MNL_CB_OK;
+}
+
+static int dump_nf_attr_chain_cb(const struct nlattr *attr, void *data)
+{
+ int type = mnl_attr_get_type(attr);
+ const struct nlattr **tb = data;
+
+ if (mnl_attr_type_valid(attr, NFTA_CHAIN_MAX) < 0)
+ return MNL_CB_OK;
+
+ switch(type) {
+ case NFTA_CHAIN_TABLE:
+ case NFTA_CHAIN_NAME:
+ if (mnl_attr_validate(attr, MNL_TYPE_NUL_STRING) < 0)
+ return MNL_CB_ERROR;
+ break;
+ default:
+ return MNL_CB_OK;
+ }
+
+ tb[type] = attr;
+ return MNL_CB_OK;
+}
+
+static int dump_nf_hooks(const struct nlmsghdr *nlh, void *data)
+{
+ const struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh);
+ struct nlattr *tb[NFNLA_HOOK_MAX + 1] = {};
+ struct list_head *head = data;
+ struct basehook *hook;
+
+ /* NB: Don't check the nft generation ID, this is not
+ * an nftables subsystem.
+ */
+ if (mnl_attr_parse(nlh, sizeof(*nfg), dump_nf_attr_cb, tb) < 0)
+ return -1;
+
+ if (!tb[NFNLA_HOOK_PRIORITY])
+ netlink_abi_error();
+
+ hook = basehook_alloc();
+ hook->prio = ntohl(mnl_attr_get_u32(tb[NFNLA_HOOK_PRIORITY]));
+
+ if (tb[NFNLA_HOOK_FUNCTION_NAME])
+ hook->hookfn = xstrdup(mnl_attr_get_str(tb[NFNLA_HOOK_FUNCTION_NAME]));
+
+ if (tb[NFNLA_HOOK_MODULE_NAME])
+ hook->module_name = xstrdup(mnl_attr_get_str(tb[NFNLA_HOOK_MODULE_NAME]));
+
+ if (tb[NFNLA_HOOK_CHAIN_INFO]) {
+ struct nlattr *nested[NFNLA_HOOK_INFO_MAX + 1] = {};
+ uint32_t type;
+
+ if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], dump_nf_chain_info_cb, nested) < 0)
+ return -1;
+
+ type = ntohl(mnl_attr_get_u32(nested[NFNLA_HOOK_INFO_TYPE]));
+ if (type == NFNL_HOOK_TYPE_NFTABLES) {
+ struct nlattr *info[NFTA_CHAIN_MAX + 1] = {};
+ const char *tablename, *chainname;
+
+ if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], dump_nf_attr_chain_cb, info) < 0)
+ return -1;
+
+ tablename = mnl_attr_get_str(info[NFTA_CHAIN_TABLE]);
+ chainname = mnl_attr_get_str(info[NFTA_CHAIN_NAME]);
+ if (tablename && chainname) {
+ hook->table = xstrdup(tablename);
+ hook->chain = xstrdup(chainname);
+ }
+ }
+ }
+
+ basehook_list_add_tail(hook, head);
+ return MNL_CB_OK;
+}
+
+static struct nlmsghdr *nf_hook_dump_request(char *buf, uint8_t family, uint32_t seq)
+{
+ struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
+ struct nfgenmsg *nfg;
+
+ nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
+ nlh->nlmsg_type = NFNL_SUBSYS_HOOK << 8;
+ nlh->nlmsg_seq = seq;
+
+ nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
+ nfg->nfgen_family = family;
+ nfg->version = NFNETLINK_V0;
+
+ return nlh;
+}
+
+static int __mnl_nft_dump_nf_hooks(struct netlink_ctx *ctx, uint8_t family, uint8_t hooknum, const char *devname)
+{
+ char buf[MNL_SOCKET_BUFFER_SIZE];
+ struct basehook *hook, *tmp;
+ struct nlmsghdr *nlh;
+ LIST_HEAD(hook_list);
+ FILE *fp;
+ int ret;
+
+ nlh = nf_hook_dump_request(buf, family, ctx->seqnum);
+ if (devname)
+ mnl_attr_put_strz(nlh, NFNLA_HOOK_DEV, devname);
+
+ mnl_attr_put_u32(nlh, NFNLA_HOOK_HOOKNUM, htonl(hooknum));
+
+ ret = nft_mnl_talk(ctx, nlh, nlh->nlmsg_len, dump_nf_hooks, &hook_list);
+ if (ret)
+ return ret;
+
+ if (list_empty(&hook_list))
+ return 0;
+
+ fp = ctx->nft->output.output_fp;
+ fprintf(fp, "family %s hook %s", family2str(family), hooknum2str(family, hooknum));
+ if (devname)
+ fprintf(fp, " device %s", devname);
+
+ fprintf(fp, " {\n");
+
+ list_for_each_entry_safe(hook, tmp, &hook_list, list) {
+ int prio = hook->prio;
+
+ if (prio < 0)
+ fprintf(fp, "\t%011d", prio); /* outputs a '-' sign */
+ else
+ fprintf(fp, "\t+%010u", prio);
+
+ if (hook->hookfn) {
+ fprintf(fp, " %s", hook->hookfn);
+ if (hook->module_name)
+ fprintf(fp, " [%s]", hook->module_name);
+ }
+
+ if (hook->table && hook->chain)
+ fprintf(fp, "\t# nft table %s %s chain %s", family2str(family), hook->table, hook->chain);
+
+ fprintf(fp, "\n");
+ basehook_free(hook);
+ }
+
+ fprintf(fp, "}\n");
+ return ret;
+}
+
+int mnl_nft_dump_nf_hooks(struct netlink_ctx *ctx, int family, int hook, const char *devname)
+{
+ unsigned int i;
+ int ret, err;
+
+ errno = 0;
+ ret = 0;
+
+ switch (family) {
+ case NFPROTO_UNSPEC:
+ if (devname)
+ return mnl_nft_dump_nf_hooks(ctx, NFPROTO_NETDEV, NF_INET_INGRESS, devname);
+
+ err = mnl_nft_dump_nf_hooks(ctx, NFPROTO_INET, hook, NULL);
+ if (err < 0 && errno != EPROTONOSUPPORT)
+ ret = err;
+ err = mnl_nft_dump_nf_hooks(ctx, NFPROTO_ARP, hook, NULL);
+ if (err < 0 && errno != EPROTONOSUPPORT)
+ ret = err;
+ err = mnl_nft_dump_nf_hooks(ctx, NFPROTO_BRIDGE, hook, NULL);
+ if (err < 0 && errno != EPROTONOSUPPORT)
+ ret = err;
+ err = mnl_nft_dump_nf_hooks(ctx, NFPROTO_DECNET, hook, NULL);
+ if (err < 0 && errno != EPROTONOSUPPORT)
+ ret = err;
+ break;
+ case NFPROTO_INET:
+ if (devname) {
+ err = __mnl_nft_dump_nf_hooks(ctx, family, NF_INET_INGRESS, devname);
+ if (err < 0)
+ ret = err;
+ }
+
+ err = mnl_nft_dump_nf_hooks(ctx, NFPROTO_IPV4, hook, NULL);
+ if (err < 0)
+ ret = err;
+ err = mnl_nft_dump_nf_hooks(ctx, NFPROTO_IPV6, hook, NULL);
+ if (err < 0)
+ ret = err;
+
+ break;
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ case NFPROTO_BRIDGE:
+ if (hook >= 0)
+ return __mnl_nft_dump_nf_hooks(ctx, family, hook, devname);
+
+ for (i = 0; i <= NF_INET_POST_ROUTING; i++) {
+ err = __mnl_nft_dump_nf_hooks(ctx, family, i, NULL);
+ if (err < 0)
+ err = ret;
+ }
+ break;
+ case NFPROTO_ARP:
+ if (hook >= 0)
+ return __mnl_nft_dump_nf_hooks(ctx, family, hook, devname);
+
+ err = __mnl_nft_dump_nf_hooks(ctx, family, NF_ARP_IN, devname);
+ if (err < 0)
+ ret = err;
+ err = __mnl_nft_dump_nf_hooks(ctx, family, NF_ARP_OUT, devname);
+ if (err < 0)
+ ret = err;
+ break;
+ case NFPROTO_NETDEV:
+ if (hook >= 0)
+ return __mnl_nft_dump_nf_hooks(ctx, family, hook, devname);
+
+ err = __mnl_nft_dump_nf_hooks(ctx, family, NF_INET_INGRESS, devname);
+ if (err < 0)
+ ret = err;
+ break;
+ case NFPROTO_DECNET:
+ if (hook >= 0)
+ return __mnl_nft_dump_nf_hooks(ctx, family, hook, devname);
+#define NF_DN_NUMHOOKS 7
+ for (i = 0; i < NF_DN_NUMHOOKS; i++) {
+ err = __mnl_nft_dump_nf_hooks(ctx, family, i, devname);
+ if (err < 0) {
+ ret = err;
+ break;
+ }
+ }
+ break;
+ }
+
+ return ret;
+}
diff --git a/src/netlink.c b/src/netlink.c
index 8cdd6d81..cbf9d436 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -97,6 +97,9 @@ struct nftnl_expr *alloc_nft_expr(const char *name)
return nle;
}
+void __netlink_gen_data(const struct expr *expr,
+ struct nft_data_linearize *data, bool expand);
+
static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
const struct expr *expr)
{
@@ -130,11 +133,11 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
case EXPR_SET_ELEM_CATCHALL:
break;
default:
- netlink_gen_data(key, &nld);
+ __netlink_gen_data(key, &nld, false);
nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_KEY, &nld.value, nld.len);
if (set->set_flags & NFT_SET_INTERVAL && key->field_count > 1) {
key->flags |= EXPR_F_INTERVAL_END;
- netlink_gen_data(key, &nld);
+ __netlink_gen_data(key, &nld, false);
key->flags &= ~EXPR_F_INTERVAL_END;
nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_KEY_END,
@@ -185,7 +188,7 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
nftnl_udata_buf_free(udbuf);
}
if (set_is_datamap(set->set_flags) && data != NULL) {
- netlink_gen_data(data, &nld);
+ __netlink_gen_data(data, &nld, !(data->flags & EXPR_F_SINGLETON));
switch (data->etype) {
case EXPR_VERDICT:
nftnl_set_elem_set_u32(nlse, NFTNL_SET_ELEM_VERDICT,
@@ -270,8 +273,8 @@ static int netlink_gen_concat_data_expr(int end, const struct expr *i,
return netlink_export_pad(data, i->value, i);
}
-static void netlink_gen_concat_data(const struct expr *expr,
- struct nft_data_linearize *nld)
+static void __netlink_gen_concat(const struct expr *expr,
+ struct nft_data_linearize *nld)
{
unsigned int len = expr->len / BITS_PER_BYTE, offset = 0;
int end = expr->flags & EXPR_F_INTERVAL_END;
@@ -287,6 +290,35 @@ static void netlink_gen_concat_data(const struct expr *expr,
nld->len = len;
}
+static void __netlink_gen_concat_expand(const struct expr *expr,
+ struct nft_data_linearize *nld)
+{
+ unsigned int len = div_round_up(expr->len, BITS_PER_BYTE) * 2, offset = 0;
+ unsigned char data[len];
+ const struct expr *i;
+
+ memset(data, 0, len);
+
+ list_for_each_entry(i, &expr->expressions, list)
+ offset += netlink_gen_concat_data_expr(false, i, data + offset);
+
+ list_for_each_entry(i, &expr->expressions, list)
+ offset += netlink_gen_concat_data_expr(true, i, data + offset);
+
+ memcpy(nld->value, data, len);
+ nld->len = len;
+}
+
+static void netlink_gen_concat_data(const struct expr *expr,
+ struct nft_data_linearize *nld,
+ bool expand)
+{
+ if (expand)
+ __netlink_gen_concat_expand(expr, nld);
+ else
+ __netlink_gen_concat(expr, nld);
+}
+
static void netlink_gen_constant_data(const struct expr *expr,
struct nft_data_linearize *data)
{
@@ -366,13 +398,14 @@ static void netlink_gen_prefix(const struct expr *expr,
nld->len = len;
}
-void netlink_gen_data(const struct expr *expr, struct nft_data_linearize *data)
+void __netlink_gen_data(const struct expr *expr,
+ struct nft_data_linearize *data, bool expand)
{
switch (expr->etype) {
case EXPR_VALUE:
return netlink_gen_constant_data(expr, data);
case EXPR_CONCAT:
- return netlink_gen_concat_data(expr, data);
+ return netlink_gen_concat_data(expr, data, expand);
case EXPR_VERDICT:
return netlink_gen_verdict(expr, data);
case EXPR_RANGE:
@@ -384,6 +417,11 @@ void netlink_gen_data(const struct expr *expr, struct nft_data_linearize *data)
}
}
+void netlink_gen_data(const struct expr *expr, struct nft_data_linearize *data)
+{
+ __netlink_gen_data(expr, data, false);
+}
+
struct expr *netlink_alloc_value(const struct location *loc,
const struct nft_data_delinearize *nld)
{
@@ -517,6 +555,14 @@ static int chain_parse_udata_cb(const struct nftnl_udata *attr, void *data)
return 0;
}
+static int qsort_device_cmp(const void *a, const void *b)
+{
+ const char **x = (const char **)a;
+ const char **y = (const char **)b;
+
+ return strcmp(*x, *y);
+}
+
struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
const struct nftnl_chain *nlc)
{
@@ -552,7 +598,7 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
BYTEORDER_HOST_ENDIAN,
sizeof(int) * BITS_PER_BYTE,
&priority);
- chain->type =
+ chain->type.str =
xstrdup(nftnl_chain_get_str(nlc, NFTNL_CHAIN_TYPE));
policy = nftnl_chain_get_u32(nlc, NFTNL_CHAIN_POLICY);
chain->policy = constant_expr_alloc(&netlink_location,
@@ -580,12 +626,18 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
chain->dev_array_len = len;
}
chain->flags |= CHAIN_F_BASECHAIN;
+
+ if (chain->dev_array_len) {
+ qsort(chain->dev_array, chain->dev_array_len,
+ sizeof(char *), qsort_device_cmp);
+ }
}
if (nftnl_chain_is_set(nlc, NFTNL_CHAIN_USERDATA)) {
udata = nftnl_chain_get_data(nlc, NFTNL_CHAIN_USERDATA, &ulen);
if (nftnl_udata_parse(udata, ulen, chain_parse_udata_cb, ud) < 0) {
netlink_io_error(ctx, NULL, "Cannot parse userdata");
+ chain_free(chain);
return NULL;
}
if (ud[NFTNL_UDATA_CHAIN_COMMENT])
@@ -633,6 +685,7 @@ struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
udata = nftnl_table_get_data(nlt, NFTNL_TABLE_USERDATA, &ulen);
if (nftnl_udata_parse(udata, ulen, table_parse_udata_cb, ud) < 0) {
netlink_io_error(ctx, NULL, "Cannot parse userdata");
+ table_free(table);
return NULL;
}
if (ud[NFTNL_UDATA_TABLE_COMMENT])
@@ -854,7 +907,7 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
if (ud[NFTNL_UDATA_SET_DATA_TYPEOF])
typeof_expr_data = set_make_key(ud[NFTNL_UDATA_SET_DATA_TYPEOF]);
if (ud[NFTNL_UDATA_SET_COMMENT])
- comment = xstrdup(nftnl_udata_get(ud[NFTNL_UDATA_SET_COMMENT]));
+ comment = nftnl_udata_get(ud[NFTNL_UDATA_SET_COMMENT]);
}
key = nftnl_set_get_u32(nls, NFTNL_SET_KEY_TYPE);
@@ -892,7 +945,7 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
set->handle.set.name = xstrdup(nftnl_set_get_str(nls, NFTNL_SET_NAME));
set->automerge = automerge;
if (comment)
- set->comment = comment;
+ set->comment = xstrdup(comment);
init_list_head(&set_parse_ctx.stmt_list);
@@ -1038,10 +1091,28 @@ struct expr *range_expr_to_prefix(struct expr *range)
return range;
}
-static struct expr *netlink_parse_interval_elem(const struct datatype *dtype,
+static struct expr *range_expr_reduce(struct expr *range)
+{
+ struct expr *expr;
+
+ if (!mpz_cmp(range->left->value, range->right->value)) {
+ expr = expr_get(range->left);
+ expr_free(range);
+ return expr;
+ }
+
+ if (range->left->dtype->type != TYPE_IPADDR &&
+ range->left->dtype->type != TYPE_IP6ADDR)
+ return range;
+
+ return range_expr_to_prefix(range);
+}
+
+static struct expr *netlink_parse_interval_elem(const struct set *set,
struct expr *expr)
{
unsigned int len = div_round_up(expr->len, BITS_PER_BYTE);
+ const struct datatype *dtype = set->data->dtype;
struct expr *range, *left, *right;
char data[len];
@@ -1058,31 +1129,84 @@ static struct expr *netlink_parse_interval_elem(const struct datatype *dtype,
return range_expr_to_prefix(range);
}
-static struct expr *netlink_parse_concat_elem(const struct datatype *dtype,
- struct expr *data)
+static struct expr *concat_elem_expr(struct expr *expr,
+ const struct datatype *dtype,
+ struct expr *data, int *off)
{
const struct datatype *subtype;
+
+ subtype = concat_subtype_lookup(dtype->type, --(*off));
+
+ expr = constant_expr_splice(data, subtype->size);
+ expr->dtype = subtype;
+ expr->byteorder = subtype->byteorder;
+
+ if (expr->byteorder == BYTEORDER_HOST_ENDIAN)
+ mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
+
+ if (expr->dtype->basetype != NULL &&
+ expr->dtype->basetype->type == TYPE_BITMASK)
+ expr = bitmask_expr_to_binops(expr);
+
+ data->len -= netlink_padding_len(expr->len);
+
+ return expr;
+}
+
+static struct expr *netlink_parse_concat_elem_key(const struct set *set,
+ struct expr *data)
+{
+ const struct datatype *dtype = set->key->dtype;
struct expr *concat, *expr;
int off = dtype->subtypes;
concat = concat_expr_alloc(&data->location);
while (off > 0) {
- subtype = concat_subtype_lookup(dtype->type, --off);
+ expr = concat_elem_expr(expr, dtype, data, &off);
+ compound_expr_add(concat, expr);
+ }
+
+ expr_free(data);
+
+ return concat;
+}
+
+static struct expr *netlink_parse_concat_elem(const struct set *set,
+ struct expr *data)
+{
+ const struct datatype *dtype = set->data->dtype;
+ struct expr *concat, *expr, *left, *range;
+ struct list_head expressions;
+ int off = dtype->subtypes;
+
+ init_list_head(&expressions);
+
+ concat = concat_expr_alloc(&data->location);
+ while (off > 0) {
+ expr = concat_elem_expr(expr, dtype, data, &off);
+ list_add_tail(&expr->list, &expressions);
+ }
- expr = constant_expr_splice(data, subtype->size);
- expr->dtype = subtype;
- expr->byteorder = subtype->byteorder;
+ if (set->data->flags & EXPR_F_INTERVAL) {
+ assert(!list_empty(&expressions));
- if (expr->byteorder == BYTEORDER_HOST_ENDIAN)
- mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
+ off = dtype->subtypes;
- if (expr->dtype->basetype != NULL &&
- expr->dtype->basetype->type == TYPE_BITMASK)
- expr = bitmask_expr_to_binops(expr);
+ while (off > 0) {
+ left = list_first_entry(&expressions, struct expr, list);
- compound_expr_add(concat, expr);
- data->len -= netlink_padding_len(expr->len);
+ expr = concat_elem_expr(expr, dtype, data, &off);
+ list_del(&left->list);
+
+ range = range_expr_alloc(&data->location, left, expr);
+ range = range_expr_reduce(range);
+ compound_expr_add(concat, range);
+ }
+ assert(list_empty(&expressions));
+ } else {
+ list_splice_tail(&expressions, &concat->expressions);
}
+
expr_free(data);
return concat;
@@ -1154,7 +1278,7 @@ key_end:
datatype_set(key, set->key->dtype);
key->byteorder = set->key->byteorder;
if (set->key->dtype->subtypes)
- key = netlink_parse_concat_elem(set->key->dtype, key);
+ key = netlink_parse_concat_elem_key(set, key);
if (!(set->flags & NFT_SET_INTERVAL) &&
key->byteorder == BYTEORDER_HOST_ENDIAN)
@@ -1217,10 +1341,10 @@ key_end:
datatype_set(data, set->data->dtype);
data->byteorder = set->data->byteorder;
- if (set->data->flags & EXPR_F_INTERVAL)
- data = netlink_parse_interval_elem(set->data->dtype, data);
- else if (set->data->dtype->subtypes)
- data = netlink_parse_concat_elem(set->data->dtype, data);
+ if (set->data->dtype->subtypes) {
+ data = netlink_parse_concat_elem(set, data);
+ } else if (set->data->flags & EXPR_F_INTERVAL)
+ data = netlink_parse_interval_elem(set, data);
if (data->byteorder == BYTEORDER_HOST_ENDIAN)
mpz_switch_byteorder(data->value, data->len / BITS_PER_BYTE);
@@ -1435,6 +1559,7 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
udata = nftnl_obj_get_data(nlo, NFTNL_OBJ_USERDATA, &ulen);
if (nftnl_udata_parse(udata, ulen, obj_parse_udata_cb, ud) < 0) {
netlink_io_error(ctx, NULL, "Cannot parse userdata");
+ obj_free(obj);
return NULL;
}
if (ud[NFTNL_UDATA_OBJ_COMMENT])
@@ -1468,6 +1593,7 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
obj->ct_helper.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_HELPER_L4PROTO);
break;
case NFT_OBJECT_CT_TIMEOUT:
+ init_list_head(&obj->ct_timeout.timeout_list);
obj->ct_timeout.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO);
obj->ct_timeout.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO);
memcpy(obj->ct_timeout.timeout,
@@ -1582,6 +1708,11 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx,
flowtable->dev_array_len = len;
+ if (flowtable->dev_array_len) {
+ qsort(flowtable->dev_array, flowtable->dev_array_len,
+ sizeof(char *), qsort_device_cmp);
+ }
+
priority = nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_PRIO);
flowtable->priority.expr =
constant_expr_alloc(&netlink_location,
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 81fe4c16..c7dae266 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -637,7 +637,7 @@ static void netlink_parse_exthdr(struct netlink_parse_ctx *ctx,
sreg = netlink_parse_register(nle, NFTNL_EXPR_EXTHDR_SREG);
val = netlink_get_register(ctx, loc, sreg);
if (val == NULL) {
- xfree(expr);
+ expr_free(expr);
return netlink_error(ctx, loc,
"exthdr statement has no expression");
}
@@ -679,7 +679,7 @@ static void netlink_parse_hash(struct netlink_parse_ctx *ctx,
len = nftnl_expr_get_u32(nle,
NFTNL_EXPR_HASH_LEN) * BITS_PER_BYTE;
if (hexpr->len < len) {
- xfree(hexpr);
+ expr_free(hexpr);
hexpr = netlink_parse_concat_expr(ctx, loc, sreg, len);
if (hexpr == NULL)
goto out_err;
@@ -691,7 +691,7 @@ static void netlink_parse_hash(struct netlink_parse_ctx *ctx,
netlink_set_register(ctx, dreg, expr);
return;
out_err:
- xfree(expr);
+ expr_free(expr);
}
static void netlink_parse_fib(struct netlink_parse_ctx *ctx,
@@ -1015,7 +1015,8 @@ static void netlink_parse_reject(struct netlink_parse_ctx *ctx,
ctx->stmt = stmt;
}
-static bool is_nat_addr_map(const struct expr *addr, uint8_t family)
+static bool is_nat_addr_map(const struct expr *addr, uint8_t family,
+ struct stmt *stmt)
{
const struct expr *mappings, *data;
const struct set *set;
@@ -1034,14 +1035,31 @@ static bool is_nat_addr_map(const struct expr *addr, uint8_t family)
if (!(data->flags & EXPR_F_INTERVAL))
return false;
+ stmt->nat.family = family;
+
/* if we're dealing with an address:address map,
* the length will be bit_sizeof(addr) + 32 (one register).
*/
switch (family) {
case NFPROTO_IPV4:
- return data->len == 32 + 32;
+ if (data->len == 32 + 32) {
+ stmt->nat.type_flags |= STMT_NAT_F_INTERVAL;
+ return true;
+ } else if (data->len == 32 + 32 + 32 + 32) {
+ stmt->nat.type_flags |= STMT_NAT_F_INTERVAL |
+ STMT_NAT_F_CONCAT;
+ return true;
+ }
+ break;
case NFPROTO_IPV6:
- return data->len == 128 + 128;
+ if (data->len == 128 + 128) {
+ stmt->nat.type_flags |= STMT_NAT_F_INTERVAL;
+ return true;
+ } else if (data->len == 128 + 32 + 128 + 32) {
+ stmt->nat.type_flags |= STMT_NAT_F_INTERVAL |
+ STMT_NAT_F_CONCAT;
+ return true;
+ }
}
return false;
@@ -1117,9 +1135,8 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
stmt->nat.addr = addr;
}
- if (is_nat_addr_map(addr, family)) {
+ if (is_nat_addr_map(addr, family, stmt)) {
stmt->nat.family = family;
- stmt->nat.type_flags |= STMT_NAT_F_INTERVAL;
ctx->stmt = stmt;
return;
}
@@ -1183,7 +1200,7 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
ctx->stmt = stmt;
return;
out_err:
- xfree(stmt);
+ stmt_free(stmt);
}
static void netlink_parse_synproxy(struct netlink_parse_ctx *ctx,
@@ -1247,7 +1264,7 @@ static void netlink_parse_tproxy(struct netlink_parse_ctx *ctx,
ctx->stmt = stmt;
return;
err:
- xfree(stmt);
+ stmt_free(stmt);
}
static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
@@ -1294,7 +1311,7 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
ctx->stmt = stmt;
return;
out_err:
- xfree(stmt);
+ stmt_free(stmt);
}
static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
@@ -1345,7 +1362,7 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
ctx->stmt = stmt;
return;
out_err:
- xfree(stmt);
+ stmt_free(stmt);
}
static void netlink_parse_dup(struct netlink_parse_ctx *ctx,
@@ -1398,7 +1415,7 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx,
ctx->stmt = stmt;
return;
out_err:
- xfree(stmt);
+ stmt_free(stmt);
}
static void netlink_parse_fwd(struct netlink_parse_ctx *ctx,
@@ -1460,34 +1477,43 @@ static void netlink_parse_fwd(struct netlink_parse_ctx *ctx,
ctx->stmt = stmt;
return;
out_err:
- xfree(stmt);
+ stmt_free(stmt);
}
static void netlink_parse_queue(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle)
{
- struct expr *expr, *high;
- struct stmt *stmt;
- uint16_t num, total;
+ struct expr *expr;
+ uint16_t flags;
- num = nftnl_expr_get_u16(nle, NFTNL_EXPR_QUEUE_NUM);
- total = nftnl_expr_get_u16(nle, NFTNL_EXPR_QUEUE_TOTAL);
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_QUEUE_SREG_QNUM)) {
+ enum nft_registers reg = netlink_parse_register(nle, NFTNL_EXPR_QUEUE_SREG_QNUM);
- expr = constant_expr_alloc(loc, &integer_type,
- BYTEORDER_HOST_ENDIAN, 16, &num);
- if (total > 1) {
- total += num - 1;
- high = constant_expr_alloc(loc, &integer_type,
+ expr = netlink_get_register(ctx, loc, reg);
+ if (!expr) {
+ netlink_error(ctx, loc, "queue statement has no sreg expression");
+ return;
+ }
+ } else {
+ uint16_t total = nftnl_expr_get_u16(nle, NFTNL_EXPR_QUEUE_TOTAL);
+ uint16_t num = nftnl_expr_get_u16(nle, NFTNL_EXPR_QUEUE_NUM);
+
+ expr = constant_expr_alloc(loc, &integer_type,
+ BYTEORDER_HOST_ENDIAN, 16, &num);
+
+ if (total > 1) {
+ struct expr *high;
+
+ total += num - 1;
+ high = constant_expr_alloc(loc, &integer_type,
BYTEORDER_HOST_ENDIAN, 16, &total);
- expr = range_expr_alloc(loc, expr, high);
+ expr = range_expr_alloc(loc, expr, high);
+ }
}
- stmt = queue_stmt_alloc(loc);
- stmt->queue.queue = expr;
- stmt->queue.flags = nftnl_expr_get_u16(nle, NFTNL_EXPR_QUEUE_FLAGS);
-
- ctx->stmt = stmt;
+ flags = nftnl_expr_get_u16(nle, NFTNL_EXPR_QUEUE_FLAGS);
+ ctx->stmt = queue_stmt_alloc(loc, expr, flags);
}
struct dynset_parse_ctx {
@@ -1591,7 +1617,7 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
&stmt->map.stmt_list);
} else {
if (!list_empty(&dynset_parse_ctx.stmt_list) &&
- set->flags & NFT_SET_ANONYMOUS) {
+ set_is_anonymous(set->flags)) {
stmt = meter_stmt_alloc(loc);
stmt->meter.set = set_ref_expr_alloc(loc, set);
stmt->meter.key = expr;
@@ -1614,7 +1640,7 @@ out_err:
list_for_each_entry_safe(dstmt, next, &dynset_parse_ctx.stmt_list, list)
stmt_free(dstmt);
- xfree(expr);
+ expr_free(expr);
}
static void netlink_parse_objref(struct netlink_parse_ctx *ctx,
@@ -1733,9 +1759,8 @@ void expr_handler_init(void)
unsigned int i;
uint32_t hash;
- expr_handle_ht = calloc(NFT_EXPR_HSIZE, sizeof(expr_handle_ht));
- if (!expr_handle_ht)
- memory_allocation_error();
+ expr_handle_ht = xzalloc_array(NFT_EXPR_HSIZE,
+ sizeof(expr_handle_ht[0]));
for (i = 0; i < array_size(netlink_parsers); i++) {
hash = djb_hash(netlink_parsers[i].name) % NFT_EXPR_HSIZE;
@@ -1820,9 +1845,6 @@ static void payload_match_expand(struct rule_pp_ctx *ctx,
enum proto_bases base = left->payload.base;
bool stacked;
- if (ctx->pdctx.icmp_type)
- ctx->pctx.th_dep.icmp.type = ctx->pdctx.icmp_type;
-
payload_expr_expand(&list, left, &ctx->pctx);
list_for_each_entry(left, &list, list) {
@@ -1869,6 +1891,58 @@ static void payload_match_expand(struct rule_pp_ctx *ctx,
ctx->stmt = NULL;
}
+static void payload_icmp_check(struct rule_pp_ctx *rctx, struct expr *expr, const struct expr *value)
+{
+ const struct proto_hdr_template *tmpl;
+ const struct proto_desc *desc;
+ uint8_t icmp_type;
+ unsigned int i;
+
+ assert(expr->etype == EXPR_PAYLOAD);
+ assert(value->etype == EXPR_VALUE);
+
+ if (expr->payload.base != PROTO_BASE_TRANSPORT_HDR)
+ return;
+
+ /* icmp(v6) type is 8 bit, if value is smaller or larger, this is not
+ * a protocol dependency.
+ */
+ if (expr->len != 8 || value->len != 8 || rctx->pctx.th_dep.icmp.type)
+ return;
+
+ desc = rctx->pctx.protocol[expr->payload.base].desc;
+ if (desc == NULL)
+ return;
+
+ /* not icmp? ignore. */
+ if (desc != &proto_icmp && desc != &proto_icmp6)
+ return;
+
+ assert(desc->base == expr->payload.base);
+
+ icmp_type = mpz_get_uint8(value->value);
+
+ for (i = 1; i < array_size(desc->templates); i++) {
+ tmpl = &desc->templates[i];
+
+ if (tmpl->len == 0)
+ return;
+
+ if (tmpl->offset != expr->payload.offset ||
+ tmpl->len != expr->len)
+ continue;
+
+ /* Matches but doesn't load a protocol key -> ignore. */
+ if (desc->protocol_key != i)
+ return;
+
+ expr->payload.desc = desc;
+ expr->payload.tmpl = tmpl;
+ rctx->pctx.th_dep.icmp.type = icmp_type;
+ return;
+ }
+}
+
static void payload_match_postprocess(struct rule_pp_ctx *ctx,
struct expr *expr,
struct expr *payload)
@@ -1884,6 +1958,20 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx,
if (expr->right->etype == EXPR_VALUE) {
payload_match_expand(ctx, expr, payload);
break;
+ } else if (expr->right->etype == EXPR_SET_REF) {
+ struct set *set = expr->right->set;
+
+ if (set_is_anonymous(set->flags) &&
+ set->init &&
+ !list_empty(&set->init->expressions)) {
+ struct expr *elem;
+
+ elem = list_first_entry(&set->init->expressions, struct expr, list);
+
+ if (elem->etype == EXPR_SET_ELEM &&
+ elem->key->etype == EXPR_VALUE)
+ payload_icmp_check(ctx, payload, elem->key);
+ }
}
/* Fall through */
default:
@@ -2166,35 +2254,55 @@ static void map_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr)
binop_postprocess(ctx, expr);
}
-static void relational_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr)
+static void relational_binop_postprocess(struct rule_pp_ctx *ctx,
+ struct expr **exprp)
{
- struct expr *binop = expr->left, *value = expr->right;
+ struct expr *expr = *exprp, *binop = expr->left, *value = expr->right;
if (binop->op == OP_AND && (expr->op == OP_NEQ || expr->op == OP_EQ) &&
value->dtype->basetype &&
- value->dtype->basetype->type == TYPE_BITMASK &&
- value->etype == EXPR_VALUE &&
- !mpz_cmp_ui(value->value, 0)) {
- /* Flag comparison: data & flags != 0
- *
- * Split the flags into a list of flag values and convert the
- * op to OP_EQ.
- */
- expr_free(value);
-
- expr->left = expr_get(binop->left);
- expr->right = binop_tree_to_list(NULL, binop->right);
- switch (expr->op) {
- case OP_NEQ:
- expr->op = OP_IMPLICIT;
+ value->dtype->basetype->type == TYPE_BITMASK) {
+ switch (value->etype) {
+ case EXPR_VALUE:
+ if (!mpz_cmp_ui(value->value, 0)) {
+ /* Flag comparison: data & flags != 0
+ *
+ * Split the flags into a list of flag values and convert the
+ * op to OP_EQ.
+ */
+ expr_free(value);
+
+ expr->left = expr_get(binop->left);
+ expr->right = binop_tree_to_list(NULL, binop->right);
+ switch (expr->op) {
+ case OP_NEQ:
+ expr->op = OP_IMPLICIT;
+ break;
+ case OP_EQ:
+ expr->op = OP_NEG;
+ break;
+ default:
+ BUG("unknown operation type %d\n", expr->op);
+ }
+ expr_free(binop);
+ } else {
+ *exprp = flagcmp_expr_alloc(&expr->location, expr->op,
+ expr_get(binop->left),
+ binop_tree_to_list(NULL, binop->right),
+ expr_get(value));
+ expr_free(expr);
+ }
break;
- case OP_EQ:
- expr->op = OP_NEG;
+ case EXPR_BINOP:
+ *exprp = flagcmp_expr_alloc(&expr->location, expr->op,
+ expr_get(binop->left),
+ binop_tree_to_list(NULL, binop->right),
+ binop_tree_to_list(NULL, value));
+ expr_free(expr);
break;
default:
- BUG("unknown operation type %d\n", expr->op);
+ break;
}
- expr_free(binop);
} else if (binop->left->dtype->flags & DTYPE_F_PREFIX &&
binop->op == OP_AND && expr->right->etype == EXPR_VALUE &&
expr_mask_is_prefix(binop->right)) {
@@ -2313,8 +2421,10 @@ static struct expr *expr_postprocess_string(struct expr *expr)
mask = constant_expr_alloc(&expr->location, &integer_type,
BYTEORDER_HOST_ENDIAN,
expr->len + BITS_PER_BYTE, NULL);
+ mpz_clear(mask->value);
mpz_init_bitmask(mask->value, expr->len);
out = string_wildcard_expr_alloc(&expr->location, mask, expr);
+ expr_free(expr);
expr_free(mask);
return out;
}
@@ -2403,7 +2513,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
meta_match_postprocess(ctx, expr);
break;
case EXPR_BINOP:
- relational_binop_postprocess(ctx, expr);
+ relational_binop_postprocess(ctx, exprp);
break;
default:
break;
@@ -2430,6 +2540,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
case EXPR_RANGE:
expr_postprocess(ctx, &expr->left);
expr_postprocess(ctx, &expr->right);
+ break;
case EXPR_PREFIX:
expr_postprocess(ctx, &expr->prefix);
break;
@@ -2772,6 +2883,18 @@ static void stmt_payload_postprocess(struct rule_pp_ctx *ctx)
expr_postprocess(ctx, &stmt->payload.val);
}
+static void stmt_queue_postprocess(struct rule_pp_ctx *ctx)
+{
+ struct stmt *stmt = ctx->stmt;
+ struct expr *e = stmt->queue.queue;
+
+ if (e == NULL || e->etype == EXPR_VALUE ||
+ e->etype == EXPR_RANGE)
+ return;
+
+ expr_postprocess(ctx, &stmt->queue.queue);
+}
+
/*
* We can only remove payload dependencies if they occur without
* a statement with side effects in between.
@@ -2795,8 +2918,9 @@ rule_maybe_reset_payload_deps(struct payload_dep_ctx *pdctx, enum stmt_types t)
static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *rule)
{
- struct rule_pp_ctx rctx;
struct stmt *stmt, *next;
+ struct rule_pp_ctx rctx;
+ struct expr *expr;
memset(&rctx, 0, sizeof(rctx));
proto_ctx_init(&rctx.pctx, rule->handle.family, ctx->debug_mask);
@@ -2825,9 +2949,11 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r
expr_postprocess(&rctx, &stmt->ct.expr);
if (stmt->ct.expr->etype == EXPR_BINOP &&
- stmt->ct.key == NFT_CT_EVENTMASK)
- stmt->ct.expr = binop_tree_to_list(NULL,
- stmt->ct.expr);
+ stmt->ct.key == NFT_CT_EVENTMASK) {
+ expr = binop_tree_to_list(NULL, stmt->ct.expr);
+ expr_free(stmt->ct.expr);
+ stmt->ct.expr = expr;
+ }
}
break;
case STMT_NAT:
@@ -2873,6 +2999,9 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r
case STMT_OBJREF:
expr_postprocess(&rctx, &stmt->objref.expr);
break;
+ case STMT_QUEUE:
+ stmt_queue_postprocess(&rctx);
+ break;
default:
break;
}
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 7b35aae1..9ab3ec3e 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1165,11 +1165,14 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
amin_reg);
if (stmt->nat.addr->etype == EXPR_MAP &&
stmt->nat.addr->mappings->set->data->flags & EXPR_F_INTERVAL) {
- amax_reg = get_register(ctx, NULL);
- registers++;
amin_reg += netlink_register_space(nat_addrlen(family));
- netlink_put_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MAX,
- amin_reg);
+ if (stmt->nat.type_flags & STMT_NAT_F_CONCAT) {
+ netlink_put_register(nle, nftnl_reg_pmin,
+ amin_reg);
+ } else {
+ netlink_put_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MAX,
+ amin_reg);
+ }
}
}
@@ -1181,6 +1184,12 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
pmin_reg = amin_reg;
+ if (stmt->nat.type_flags & STMT_NAT_F_INTERVAL) {
+ pmin_reg += netlink_register_space(nat_addrlen(family));
+ netlink_put_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MAX,
+ pmin_reg);
+ }
+
/* if STMT_NAT_F_CONCAT is set, the mapped type is a
* concatenation of 'addr . inet_service'.
* The map lookup will then return the
@@ -1189,7 +1198,10 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
* will hold the inet_service part.
*/
pmin_reg += netlink_register_space(nat_addrlen(family));
- netlink_put_register(nle, nftnl_reg_pmin, pmin_reg);
+ if (stmt->nat.type_flags & STMT_NAT_F_INTERVAL)
+ netlink_put_register(nle, nftnl_reg_pmax, pmin_reg);
+ else
+ netlink_put_register(nle, nftnl_reg_pmin, pmin_reg);
}
}
@@ -1334,21 +1346,39 @@ static void netlink_gen_fwd_stmt(struct netlink_linearize_ctx *ctx,
static void netlink_gen_queue_stmt(struct netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
+ enum nft_registers sreg = 0;
struct nftnl_expr *nle;
uint16_t total_queues;
+ struct expr *expr;
mpz_t low, high;
mpz_init2(low, 16);
mpz_init2(high, 16);
- if (stmt->queue.queue != NULL) {
- range_expr_value_low(low, stmt->queue.queue);
- range_expr_value_high(high, stmt->queue.queue);
+
+ expr = stmt->queue.queue;
+
+ if (expr) {
+ if (expr->etype == EXPR_RANGE || expr->etype == EXPR_VALUE) {
+ range_expr_value_low(low, stmt->queue.queue);
+ range_expr_value_high(high, stmt->queue.queue);
+ } else {
+ sreg = get_register(ctx, expr);
+ netlink_gen_expr(ctx, expr, sreg);
+ release_register(ctx, expr);
+ }
}
+
total_queues = mpz_get_uint16(high) - mpz_get_uint16(low) + 1;
nle = alloc_nft_expr("queue");
- nftnl_expr_set_u16(nle, NFTNL_EXPR_QUEUE_NUM, mpz_get_uint16(low));
- nftnl_expr_set_u16(nle, NFTNL_EXPR_QUEUE_TOTAL, total_queues);
+
+ if (sreg) {
+ netlink_put_register(nle, NFTNL_EXPR_QUEUE_SREG_QNUM, sreg);
+ } else {
+ nftnl_expr_set_u16(nle, NFTNL_EXPR_QUEUE_NUM, mpz_get_uint16(low));
+ nftnl_expr_set_u16(nle, NFTNL_EXPR_QUEUE_TOTAL, total_queues);
+ }
+
if (stmt->queue.flags)
nftnl_expr_set_u16(nle, NFTNL_EXPR_QUEUE_FLAGS,
stmt->queue.flags);
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 000eb40a..b83ac9a2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -10,6 +10,7 @@
%{
+#include <ctype.h>
#include <stddef.h>
#include <stdio.h>
#include <inttypes.h>
@@ -38,6 +39,7 @@
#include <utils.h>
#include <parser.h>
#include <erec.h>
+#include <sctp_chunk.h>
#include "parser_bison.h"
@@ -237,6 +239,7 @@ int nft_lex(void *, void *, void *);
%token TYPEOF "typeof"
%token HOOK "hook"
+%token HOOKS "hooks"
%token DEVICE "device"
%token DEVICES "devices"
%token TABLE "table"
@@ -325,6 +328,7 @@ int nft_lex(void *, void *, void *);
%token VLAN "vlan"
%token ID "id"
%token CFI "cfi"
+%token DEI "dei"
%token PCP "pcp"
%token ARP "arp"
@@ -417,6 +421,40 @@ int nft_lex(void *, void *, void *);
%token DCCP "dccp"
%token SCTP "sctp"
+%token CHUNK "chunk"
+%token DATA "data"
+%token INIT "init"
+%token INIT_ACK "init-ack"
+%token HEARTBEAT "heartbeat"
+%token HEARTBEAT_ACK "heartbeat-ack"
+%token ABORT "abort"
+%token SHUTDOWN "shutdown"
+%token SHUTDOWN_ACK "shutdown-ack"
+%token ERROR "error"
+%token COOKIE_ECHO "cookie-echo"
+%token COOKIE_ACK "cookie-ack"
+%token ECNE "ecne"
+%token CWR "cwr"
+%token SHUTDOWN_COMPLETE "shutdown-complete"
+%token ASCONF_ACK "asconf-ack"
+%token FORWARD_TSN "forward-tsn"
+%token ASCONF "asconf"
+%token TSN "tsn"
+%token STREAM "stream"
+%token SSN "ssn"
+%token PPID "ppid"
+%token INIT_TAG "init-tag"
+%token A_RWND "a-rwnd"
+%token NUM_OSTREAMS "num-outbound-streams"
+%token NUM_ISTREAMS "num-inbound-streams"
+%token INIT_TSN "initial-tsn"
+%token CUM_TSN_ACK "cum-tsn-ack"
+%token NUM_GACK_BLOCKS "num-gap-ack-blocks"
+%token NUM_DUP_TSNS "num-dup-tsns"
+%token LOWEST_TSN "lowest-tsn"
+%token SEQNO "seqno"
+%token NEW_CUM_TSN "new-cum-tsn"
+
%token VTAG "vtag"
%token RT "rt"
@@ -597,11 +635,15 @@ int nft_lex(void *, void *, void *);
%type <handle> set_identifier flowtableid_spec flowtable_identifier obj_identifier
%destructor { handle_free(&$$); } set_identifier flowtableid_spec obj_identifier
+
+%type <handle> basehook_spec
+%destructor { handle_free(&$$); } basehook_spec
+
%type <val> family_spec family_spec_explicit
%type <val32> int_num chain_policy
%type <prio_spec> extended_prio_spec prio_spec
-%type <string> extended_prio_name quota_unit
-%destructor { xfree($$); } extended_prio_name quota_unit
+%type <string> extended_prio_name quota_unit basehook_device_name
+%destructor { xfree($$); } extended_prio_name quota_unit basehook_device_name
%type <expr> dev_spec
%destructor { xfree($$); } dev_spec
@@ -661,8 +703,10 @@ int nft_lex(void *, void *, void *);
%destructor { stmt_free($$); } chain_stmt
%type <val> chain_stmt_type
-%type <stmt> queue_stmt queue_stmt_alloc
-%destructor { stmt_free($$); } queue_stmt queue_stmt_alloc
+%type <stmt> queue_stmt queue_stmt_alloc queue_stmt_compat
+%destructor { stmt_free($$); } queue_stmt queue_stmt_alloc queue_stmt_compat
+%type <expr> queue_stmt_expr_simple queue_stmt_expr reject_with_expr
+%destructor { expr_free($$); } queue_stmt_expr_simple queue_stmt_expr reject_with_expr
%type <val> queue_stmt_flags queue_stmt_flag
%type <stmt> dup_stmt
%destructor { stmt_free($$); } dup_stmt
@@ -768,9 +812,12 @@ int nft_lex(void *, void *, void *);
%type <expr> udp_hdr_expr udplite_hdr_expr
%destructor { expr_free($$); } udp_hdr_expr udplite_hdr_expr
%type <val> udp_hdr_field udplite_hdr_field
-%type <expr> dccp_hdr_expr sctp_hdr_expr
-%destructor { expr_free($$); } dccp_hdr_expr sctp_hdr_expr
+%type <expr> dccp_hdr_expr sctp_hdr_expr sctp_chunk_alloc
+%destructor { expr_free($$); } dccp_hdr_expr sctp_hdr_expr sctp_chunk_alloc
%type <val> dccp_hdr_field sctp_hdr_field
+%type <val> sctp_chunk_type sctp_chunk_common_field
+%type <val> sctp_chunk_data_field sctp_chunk_init_field
+%type <val> sctp_chunk_sack_field
%type <expr> th_hdr_expr
%destructor { expr_free($$); } th_hdr_expr
%type <val> th_hdr_field
@@ -875,11 +922,14 @@ close_scope_ip : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP); };
close_scope_ip6 : { scanner_pop_start_cond(nft->scanner, PARSER_SC_IP6); };
close_scope_vlan : { scanner_pop_start_cond(nft->scanner, PARSER_SC_VLAN); };
close_scope_ipsec : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_IPSEC); };
+close_scope_list : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_LIST); };
close_scope_limit : { scanner_pop_start_cond(nft->scanner, PARSER_SC_LIMIT); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
close_scope_quota : { scanner_pop_start_cond(nft->scanner, PARSER_SC_QUOTA); };
close_scope_queue : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_QUEUE); };
close_scope_rt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_RT); };
+close_scope_sctp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SCTP); };
+close_scope_sctp_chunk : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SCTP_CHUNK); };
close_scope_secmark : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SECMARK); };
close_scope_socket : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SOCKET); }
@@ -922,6 +972,7 @@ common_block : INCLUDE QUOTED_STRING stmt_separator
if (symbol_unbind(scope, $2) < 0) {
erec_queue(error(&@2, "undefined symbol '%s'", $2),
state->msgs);
+ xfree($2);
YYERROR;
}
xfree($2);
@@ -964,7 +1015,7 @@ base_cmd : /* empty */ add_cmd { $$ = $1; }
| INSERT insert_cmd { $$ = $2; }
| DELETE delete_cmd { $$ = $2; }
| GET get_cmd { $$ = $2; }
- | LIST list_cmd { $$ = $2; }
+ | LIST list_cmd close_scope_list { $$ = $2; }
| RESET reset_cmd { $$ = $2; }
| FLUSH flush_cmd { $$ = $2; }
| RENAME rename_cmd { $$ = $2; }
@@ -1262,6 +1313,8 @@ delete_cmd : TABLE table_or_id_spec
| CT ct_obj_type obj_spec ct_obj_alloc close_scope_ct
{
$$ = cmd_alloc_obj_ct(CMD_DELETE, $2, &$3, &@$, $4);
+ if ($2 == NFT_OBJECT_CT_TIMEOUT)
+ init_list_head(&$4->ct_timeout.timeout_list);
}
| LIMIT obj_or_id_spec close_scope_limit
{
@@ -1415,6 +1468,45 @@ list_cmd : TABLE table_spec
{
$$ = cmd_alloc(CMD_LIST, $2, &$4, &@$, NULL);
}
+ | HOOKS basehook_spec
+ {
+ $$ = cmd_alloc(CMD_LIST, CMD_OBJ_HOOKS, &$2, &@$, NULL);
+ }
+ ;
+
+basehook_device_name : /* NULL */
+ {
+ $$ = NULL;
+ }
+ | DEVICE STRING
+ {
+ $$ = $2;
+ }
+ ;
+
+basehook_spec : ruleset_spec
+ {
+ $$ = $1;
+ }
+ | ruleset_spec STRING basehook_device_name
+ {
+ const char *name = chain_hookname_lookup($2);
+
+ if (name == NULL) {
+ erec_queue(error(&@2, "unknown chain hook"),
+ state->msgs);
+ xfree($3);
+ YYERROR;
+ }
+
+ $1.chain.name = $2;
+ $1.chain.location = @2;
+ if ($3) {
+ $1.obj.name = $3;
+ $1.obj.location = @3;
+ }
+ $$ = $1;
+ }
;
reset_cmd : COUNTERS ruleset_spec
@@ -1960,6 +2052,12 @@ map_block : /* empty */ { $$ = $<set>-1; }
$1->flags |= $3;
$$ = $1;
}
+ | map_block stateful_stmt_list stmt_separator
+ {
+ list_splice_tail($2, &$1->stmt_list);
+ $$ = $1;
+ free($2);
+ }
| map_block ELEMENTS '=' set_block_expr
{
$1->init = $4;
@@ -2073,6 +2171,7 @@ data_type_atom_expr : type_identifier
if (dtype == NULL) {
erec_queue(error(&@1, "unknown datatype %s", $1),
state->msgs);
+ xfree($1);
YYERROR;
}
$$ = constant_expr_alloc(&@1, dtype, dtype->byteorder,
@@ -2261,7 +2360,8 @@ hook_spec : TYPE STRING HOOK STRING dev_spec prio_spec
xfree($2);
YYERROR;
}
- $<chain>0->type = xstrdup(chain_type);
+ $<chain>0->type.loc = @2;
+ $<chain>0->type.str = xstrdup(chain_type);
xfree($2);
$<chain>0->loc = @$;
@@ -2627,6 +2727,7 @@ comment_spec : COMMENT string
erec_queue(error(&@2, "comment too long, %d characters maximum allowed",
NFTNL_UDATA_COMMENT_MAXLEN),
state->msgs);
+ xfree($2);
YYERROR;
}
$$ = $2;
@@ -3197,42 +3298,59 @@ reject_stmt_alloc : _REJECT
}
;
+reject_with_expr : STRING
+ {
+ $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE,
+ current_scope(state), $1);
+ xfree($1);
+ }
+ | integer_expr { $$ = $1; }
+ ;
+
reject_opts : /* empty */
{
$<stmt>0->reject.type = -1;
$<stmt>0->reject.icmp_code = -1;
}
- | WITH ICMP TYPE STRING
+ | WITH ICMP TYPE reject_with_expr
{
$<stmt>0->reject.family = NFPROTO_IPV4;
$<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
- $<stmt>0->reject.expr =
- symbol_expr_alloc(&@$, SYMBOL_VALUE,
- current_scope(state),
- $4);
+ $<stmt>0->reject.expr = $4;
datatype_set($<stmt>0->reject.expr, &icmp_code_type);
- xfree($4);
}
- | WITH ICMP6 TYPE STRING
+ | WITH ICMP reject_with_expr
+ {
+ $<stmt>0->reject.family = NFPROTO_IPV4;
+ $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
+ $<stmt>0->reject.expr = $3;
+ datatype_set($<stmt>0->reject.expr, &icmp_code_type);
+ }
+ | WITH ICMP6 TYPE reject_with_expr
{
$<stmt>0->reject.family = NFPROTO_IPV6;
$<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
- $<stmt>0->reject.expr =
- symbol_expr_alloc(&@$, SYMBOL_VALUE,
- current_scope(state),
- $4);
+ $<stmt>0->reject.expr = $4;
+ datatype_set($<stmt>0->reject.expr, &icmpv6_code_type);
+ }
+ | WITH ICMP6 reject_with_expr
+ {
+ $<stmt>0->reject.family = NFPROTO_IPV6;
+ $<stmt>0->reject.type = NFT_REJECT_ICMP_UNREACH;
+ $<stmt>0->reject.expr = $3;
datatype_set($<stmt>0->reject.expr, &icmpv6_code_type);
- xfree($4);
}
- | WITH ICMPX TYPE STRING
+ | WITH ICMPX TYPE reject_with_expr
{
$<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH;
- $<stmt>0->reject.expr =
- symbol_expr_alloc(&@$, SYMBOL_VALUE,
- current_scope(state),
- $4);
+ $<stmt>0->reject.expr = $4;
+ datatype_set($<stmt>0->reject.expr, &icmpx_code_type);
+ }
+ | WITH ICMPX reject_with_expr
+ {
+ $<stmt>0->reject.type = NFT_REJECT_ICMPX_UNREACH;
+ $<stmt>0->reject.expr = $3;
datatype_set($<stmt>0->reject.expr, &icmpx_code_type);
- xfree($4);
}
| WITH TCP RESET
{
@@ -3530,28 +3648,24 @@ nat_stmt_args : stmt_expr
{
$<stmt>0->nat.family = $1;
$<stmt>0->nat.addr = $4;
- $<stmt>0->nat.type_flags = STMT_NAT_F_INTERVAL;
}
| INTERVAL TO stmt_expr
{
$<stmt>0->nat.addr = $3;
- $<stmt>0->nat.type_flags = STMT_NAT_F_INTERVAL;
}
| nf_key_proto PREFIX TO stmt_expr
{
$<stmt>0->nat.family = $1;
$<stmt>0->nat.addr = $4;
$<stmt>0->nat.type_flags =
- STMT_NAT_F_PREFIX |
- STMT_NAT_F_INTERVAL;
+ STMT_NAT_F_PREFIX;
$<stmt>0->nat.flags |= NF_NAT_RANGE_NETMAP;
}
| PREFIX TO stmt_expr
{
$<stmt>0->nat.addr = $3;
$<stmt>0->nat.type_flags =
- STMT_NAT_F_PREFIX |
- STMT_NAT_F_INTERVAL;
+ STMT_NAT_F_PREFIX;
$<stmt>0->nat.flags |= NF_NAT_RANGE_NETMAP;
}
;
@@ -3648,13 +3762,28 @@ nf_nat_flag : RANDOM { $$ = NF_NAT_RANGE_PROTO_RANDOM; }
| PERSISTENT { $$ = NF_NAT_RANGE_PERSISTENT; }
;
-queue_stmt : queue_stmt_alloc close_scope_queue
- | queue_stmt_alloc queue_stmt_args close_scope_queue
+queue_stmt : queue_stmt_compat close_scope_queue
+ | QUEUE TO queue_stmt_expr close_scope_queue
+ {
+ $$ = queue_stmt_alloc(&@$, $3, 0);
+ }
+ | QUEUE FLAGS queue_stmt_flags TO queue_stmt_expr close_scope_queue
+ {
+ $$ = queue_stmt_alloc(&@$, $5, $3);
+ }
+ | QUEUE FLAGS queue_stmt_flags QUEUENUM queue_stmt_expr_simple close_scope_queue
+ {
+ $$ = queue_stmt_alloc(&@$, $5, $3);
+ }
+ ;
+
+queue_stmt_compat : queue_stmt_alloc
+ | queue_stmt_alloc queue_stmt_args
;
queue_stmt_alloc : QUEUE
{
- $$ = queue_stmt_alloc(&@$);
+ $$ = queue_stmt_alloc(&@$, NULL, 0);
}
;
@@ -3665,7 +3794,7 @@ queue_stmt_args : queue_stmt_arg
| queue_stmt_args queue_stmt_arg
;
-queue_stmt_arg : QUEUENUM stmt_expr
+queue_stmt_arg : QUEUENUM queue_stmt_expr_simple
{
$<stmt>0->queue.queue = $2;
$<stmt>0->queue.queue->location = @$;
@@ -3676,6 +3805,15 @@ queue_stmt_arg : QUEUENUM stmt_expr
}
;
+queue_stmt_expr_simple : integer_expr
+ | range_rhs_expr
+ ;
+
+queue_stmt_expr : numgen_expr
+ | hash_expr
+ | map_expr
+ ;
+
queue_stmt_flags : queue_stmt_flag
| queue_stmt_flags COMMA queue_stmt_flag
{
@@ -3944,8 +4082,10 @@ osf_ttl : /* empty */
else {
erec_queue(error(&@2, "invalid ttl option"),
state->msgs);
+ xfree($2);
YYERROR;
}
+ xfree($2);
}
;
@@ -4434,6 +4574,7 @@ limit_config : RATE limit_mode NUM SLASH time_unit limit_burst_pkts
uint64_t rate, unit;
erec = rate_parse(&@$, $4, &rate, &unit);
+ xfree($4);
if (erec != NULL) {
erec_queue(erec, state->msgs);
YYERROR;
@@ -4463,6 +4604,22 @@ relational_expr : expr /* implicit */ rhs_expr
{
$$ = relational_expr_alloc(&@$, OP_IMPLICIT, $1, $2);
}
+ | expr /* implicit */ basic_rhs_expr SLASH list_rhs_expr
+ {
+ $$ = flagcmp_expr_alloc(&@$, OP_EQ, $1, $4, $2);
+ }
+ | expr /* implicit */ list_rhs_expr SLASH list_rhs_expr
+ {
+ $$ = flagcmp_expr_alloc(&@$, OP_EQ, $1, $4, $2);
+ }
+ | expr relational_op basic_rhs_expr SLASH list_rhs_expr
+ {
+ $$ = flagcmp_expr_alloc(&@$, $2, $1, $5, $3);
+ }
+ | expr relational_op list_rhs_expr SLASH list_rhs_expr
+ {
+ $$ = flagcmp_expr_alloc(&@$, $2, $1, $5, $3);
+ }
| expr relational_op rhs_expr
{
$$ = relational_expr_alloc(&@2, $2, $1, $3);
@@ -4649,7 +4806,7 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | SCTP
+ | SCTP close_scope_sctp
{
uint8_t data = IPPROTO_SCTP;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
@@ -5125,6 +5282,7 @@ vlan_hdr_expr : VLAN vlan_hdr_field close_scope_vlan
vlan_hdr_field : ID { $$ = VLANHDR_VID; }
| CFI { $$ = VLANHDR_CFI; }
+ | DEI { $$ = VLANHDR_DEI; }
| PCP { $$ = VLANHDR_PCP; }
| TYPE { $$ = VLANHDR_TYPE; }
;
@@ -5379,10 +5537,115 @@ dccp_hdr_field : SPORT { $$ = DCCPHDR_SPORT; }
| TYPE { $$ = DCCPHDR_TYPE; }
;
-sctp_hdr_expr : SCTP sctp_hdr_field
+sctp_chunk_type : DATA { $$ = SCTP_CHUNK_TYPE_DATA; }
+ | INIT { $$ = SCTP_CHUNK_TYPE_INIT; }
+ | INIT_ACK { $$ = SCTP_CHUNK_TYPE_INIT_ACK; }
+ | SACK { $$ = SCTP_CHUNK_TYPE_SACK; }
+ | HEARTBEAT { $$ = SCTP_CHUNK_TYPE_HEARTBEAT; }
+ | HEARTBEAT_ACK { $$ = SCTP_CHUNK_TYPE_HEARTBEAT_ACK; }
+ | ABORT { $$ = SCTP_CHUNK_TYPE_ABORT; }
+ | SHUTDOWN { $$ = SCTP_CHUNK_TYPE_SHUTDOWN; }
+ | SHUTDOWN_ACK { $$ = SCTP_CHUNK_TYPE_SHUTDOWN_ACK; }
+ | ERROR { $$ = SCTP_CHUNK_TYPE_ERROR; }
+ | COOKIE_ECHO { $$ = SCTP_CHUNK_TYPE_COOKIE_ECHO; }
+ | COOKIE_ACK { $$ = SCTP_CHUNK_TYPE_COOKIE_ACK; }
+ | ECNE { $$ = SCTP_CHUNK_TYPE_ECNE; }
+ | CWR { $$ = SCTP_CHUNK_TYPE_CWR; }
+ | SHUTDOWN_COMPLETE { $$ = SCTP_CHUNK_TYPE_SHUTDOWN_COMPLETE; }
+ | ASCONF_ACK { $$ = SCTP_CHUNK_TYPE_ASCONF_ACK; }
+ | FORWARD_TSN { $$ = SCTP_CHUNK_TYPE_FORWARD_TSN; }
+ | ASCONF { $$ = SCTP_CHUNK_TYPE_ASCONF; }
+ ;
+
+sctp_chunk_common_field : TYPE { $$ = SCTP_CHUNK_COMMON_TYPE; }
+ | FLAGS { $$ = SCTP_CHUNK_COMMON_FLAGS; }
+ | LENGTH { $$ = SCTP_CHUNK_COMMON_LENGTH; }
+ ;
+
+sctp_chunk_data_field : TSN { $$ = SCTP_CHUNK_DATA_TSN; }
+ | STREAM { $$ = SCTP_CHUNK_DATA_STREAM; }
+ | SSN { $$ = SCTP_CHUNK_DATA_SSN; }
+ | PPID { $$ = SCTP_CHUNK_DATA_PPID; }
+ ;
+
+sctp_chunk_init_field : INIT_TAG { $$ = SCTP_CHUNK_INIT_TAG; }
+ | A_RWND { $$ = SCTP_CHUNK_INIT_RWND; }
+ | NUM_OSTREAMS { $$ = SCTP_CHUNK_INIT_OSTREAMS; }
+ | NUM_ISTREAMS { $$ = SCTP_CHUNK_INIT_ISTREAMS; }
+ | INIT_TSN { $$ = SCTP_CHUNK_INIT_TSN; }
+ ;
+
+sctp_chunk_sack_field : CUM_TSN_ACK { $$ = SCTP_CHUNK_SACK_CTSN_ACK; }
+ | A_RWND { $$ = SCTP_CHUNK_SACK_RWND; }
+ | NUM_GACK_BLOCKS { $$ = SCTP_CHUNK_SACK_GACK_BLOCKS; }
+ | NUM_DUP_TSNS { $$ = SCTP_CHUNK_SACK_DUP_TSNS; }
+ ;
+
+sctp_chunk_alloc : sctp_chunk_type
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, $1, SCTP_CHUNK_COMMON_TYPE);
+ $$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
+ }
+ | sctp_chunk_type sctp_chunk_common_field
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, $1, $2);
+ }
+ | DATA sctp_chunk_data_field
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_DATA, $2);
+ }
+ | INIT sctp_chunk_init_field
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_INIT, $2);
+ }
+ | INIT_ACK sctp_chunk_init_field
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_INIT_ACK, $2);
+ }
+ | SACK sctp_chunk_sack_field
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_SACK, $2);
+ }
+ | SHUTDOWN CUM_TSN_ACK
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_SHUTDOWN,
+ SCTP_CHUNK_SHUTDOWN_CTSN_ACK);
+ }
+ | ECNE LOWEST_TSN
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_ECNE,
+ SCTP_CHUNK_ECNE_CWR_MIN_TSN);
+ }
+ | CWR LOWEST_TSN
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_CWR,
+ SCTP_CHUNK_ECNE_CWR_MIN_TSN);
+ }
+ | ASCONF_ACK SEQNO
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_ASCONF_ACK,
+ SCTP_CHUNK_ASCONF_SEQNO);
+ }
+ | FORWARD_TSN NEW_CUM_TSN
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_FORWARD_TSN,
+ SCTP_CHUNK_FORWARD_TSN_NCTSN);
+ }
+ | ASCONF SEQNO
+ {
+ $$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_ASCONF,
+ SCTP_CHUNK_ASCONF_SEQNO);
+ }
+ ;
+
+sctp_hdr_expr : SCTP sctp_hdr_field close_scope_sctp
{
$$ = payload_expr_alloc(&@$, &proto_sctp, $2);
}
+ | SCTP CHUNK sctp_chunk_alloc close_scope_sctp_chunk close_scope_sctp
+ {
+ $$ = $3;
+ }
;
sctp_hdr_field : SPORT { $$ = SCTPHDR_SPORT; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 17bb10c3..666aa2fc 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -11,6 +11,7 @@
#include <netlink.h>
#include <parser.h>
#include <rule.h>
+#include <sctp_chunk.h>
#include <socket.h>
#include <netdb.h>
@@ -314,15 +315,6 @@ static struct expr *json_parse_constant(struct json_ctx *ctx, const char *name)
return NULL;
}
-static struct expr *wildcard_expr_alloc(void)
-{
- struct expr *expr;
-
- expr = constant_expr_alloc(int_loc, &integer_type,
- BYTEORDER_HOST_ENDIAN, 0, NULL);
- return prefix_expr_alloc(int_loc, expr, 0);
-}
-
/* this is a combination of symbol_expr, integer_expr, boolean_expr ... */
static struct expr *json_parse_immediate(struct json_ctx *ctx, json_t *root)
{
@@ -337,7 +329,7 @@ static struct expr *json_parse_immediate(struct json_ctx *ctx, json_t *root)
symtype = SYMBOL_SET;
str++;
} else if (str[0] == '*' && str[1] == '\0') {
- return wildcard_expr_alloc();
+ return set_elem_catchall_expr_alloc(int_loc);
} else if (is_keyword(str)) {
return symbol_expr_alloc(int_loc,
SYMBOL_VALUE, NULL, str);
@@ -611,12 +603,12 @@ static struct expr *json_parse_tcp_option_expr(struct json_ctx *ctx,
"base", &kind, "offset", &offset, "len", &len)) {
uint32_t flag = 0;
- expr = tcpopt_expr_alloc(int_loc, kind,
- TCPOPT_COMMON_KIND);
-
if (kind < 0 || kind > 255)
return NULL;
+ expr = tcpopt_expr_alloc(int_loc, kind,
+ TCPOPT_COMMON_KIND);
+
if (offset == TCPOPT_COMMON_KIND && len == 8)
flag = NFT_EXTHDR_F_PRESENT;
@@ -707,6 +699,53 @@ static struct expr *json_parse_ip_option_expr(struct json_ctx *ctx,
return ipopt_expr_alloc(int_loc, descval, fieldval, 0);
}
+static int json_parse_sctp_chunk_field(const struct exthdr_desc *desc,
+ const char *name, int *val)
+{
+ unsigned int i;
+
+ for (i = 0; i < array_size(desc->templates); i++) {
+ if (desc->templates[i].token &&
+ !strcmp(desc->templates[i].token, name)) {
+ if (val)
+ *val = i;
+ return 0;
+ }
+ }
+ return 1;
+}
+
+static struct expr *json_parse_sctp_chunk_expr(struct json_ctx *ctx,
+ const char *type, json_t *root)
+{
+ const struct exthdr_desc *desc;
+ const char *name, *field;
+ struct expr *expr;
+ int fieldval;
+
+ if (json_unpack_err(ctx, root, "{s:s}", "name", &name))
+ return NULL;
+
+ desc = sctp_chunk_protocol_find(name);
+ if (!desc) {
+ json_error(ctx, "Unknown sctp chunk name '%s'.", name);
+ return NULL;
+ }
+
+ if (json_unpack(root, "{s:s}", "field", &field)) {
+ expr = sctp_chunk_expr_alloc(int_loc, desc->type,
+ SCTP_CHUNK_COMMON_TYPE);
+ expr->exthdr.flags = NFT_EXTHDR_F_PRESENT;
+
+ return expr;
+ }
+ if (json_parse_sctp_chunk_field(desc, field, &fieldval)) {
+ json_error(ctx, "Unknown sctp chunk field '%s'.", field);
+ return NULL;
+ }
+ return sctp_chunk_expr_alloc(int_loc, desc->type, fieldval);
+}
+
static const struct exthdr_desc *exthdr_lookup_byname(const char *name)
{
const struct exthdr_desc *exthdr_tbl[] = {
@@ -1087,7 +1126,7 @@ static struct expr *json_parse_binop_expr(struct json_ctx *ctx,
json_error(ctx, "Failed to parse LHS of binop expression.");
return NULL;
}
- right = json_parse_primary_expr(ctx, jright);
+ right = json_parse_rhs_expr(ctx, jright);
if (!right) {
json_error(ctx, "Failed to parse RHS of binop expression.");
expr_free(left);
@@ -1412,6 +1451,7 @@ static struct expr *json_parse_expr(struct json_ctx *ctx, json_t *root)
{ "exthdr", json_parse_exthdr_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
{ "tcp option", json_parse_tcp_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT },
{ "ip option", json_parse_ip_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT },
+ { "sctp chunk", json_parse_sctp_chunk_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT },
{ "meta", json_parse_meta_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
{ "osf", json_parse_osf_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT },
{ "ipsec", json_parse_xfrm_expr, CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT },
@@ -2519,14 +2559,14 @@ static int queue_flag_parse(const char *name, uint16_t *flags)
static struct stmt *json_parse_queue_stmt(struct json_ctx *ctx,
const char *key, json_t *value)
{
- struct stmt *stmt = queue_stmt_alloc(int_loc);
+ struct expr *qexpr = NULL;
+ uint16_t flags = 0;
json_t *tmp;
if (!json_unpack(value, "{s:o}", "num", &tmp)) {
- stmt->queue.queue = json_parse_stmt_expr(ctx, tmp);
- if (!stmt->queue.queue) {
+ qexpr = json_parse_stmt_expr(ctx, tmp);
+ if (!qexpr) {
json_error(ctx, "Invalid queue num.");
- stmt_free(stmt);
return NULL;
}
}
@@ -2538,15 +2578,15 @@ static struct stmt *json_parse_queue_stmt(struct json_ctx *ctx,
if (json_is_string(tmp)) {
flag = json_string_value(tmp);
- if (queue_flag_parse(flag, &stmt->queue.flags)) {
+ if (queue_flag_parse(flag, &flags)) {
json_error(ctx, "Invalid queue flag '%s'.",
flag);
- stmt_free(stmt);
+ expr_free(qexpr);
return NULL;
}
} else if (!json_is_array(tmp)) {
json_error(ctx, "Unexpected object type in queue flags.");
- stmt_free(stmt);
+ expr_free(qexpr);
return NULL;
}
@@ -2554,20 +2594,20 @@ static struct stmt *json_parse_queue_stmt(struct json_ctx *ctx,
if (!json_is_string(val)) {
json_error(ctx, "Invalid object in queue flag array at index %zu.",
index);
- stmt_free(stmt);
+ expr_free(qexpr);
return NULL;
}
flag = json_string_value(val);
- if (queue_flag_parse(flag, &stmt->queue.flags)) {
+ if (queue_flag_parse(flag, &flags)) {
json_error(ctx, "Invalid queue flag '%s'.",
flag);
- stmt_free(stmt);
+ expr_free(qexpr);
return NULL;
}
}
}
- return stmt;
+ return queue_stmt_alloc(int_loc, qexpr, flags);
}
static struct stmt *json_parse_connlimit_stmt(struct json_ctx *ctx,
@@ -2741,7 +2781,7 @@ static struct cmd *json_parse_cmd_add_chain(struct json_ctx *ctx, json_t *root,
chain = chain_alloc(NULL);
chain->flags |= CHAIN_F_BASECHAIN;
- chain->type = xstrdup(type);
+ chain->type.str = xstrdup(type);
chain->priority.expr = constant_expr_alloc(int_loc, &integer_type,
BYTEORDER_HOST_ENDIAN,
sizeof(int) * BITS_PER_BYTE,
@@ -3164,7 +3204,6 @@ static int json_parse_ct_timeout_policy(struct json_ctx *ctx,
return 1;
}
- init_list_head(&obj->ct_timeout.timeout_list);
json_object_foreach(tmp, key, val) {
struct timeout_state *ts;
@@ -3311,6 +3350,7 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx,
}
obj->ct_helper.l3proto = l3proto;
+ init_list_head(&obj->ct_timeout.timeout_list);
if (json_parse_ct_timeout_policy(ctx, root, obj)) {
obj_free(obj);
return NULL;
diff --git a/src/payload.c b/src/payload.c
index cfa95224..97b60713 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -98,12 +98,16 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
desc = proto_find_upper(base, proto);
if (!desc) {
- if (base == &proto_icmp || base == &proto_icmp6) {
+ if (base == &proto_icmp) {
/* proto 0 is ECHOREPLY, just pretend its ECHO.
* Not doing this would need an additional marker
* bit to tell when icmp.type was set.
*/
ctx->th_dep.icmp.type = proto ? proto : ICMP_ECHO;
+ } else if (base == &proto_icmp6) {
+ if (proto == ICMP6_ECHO_REPLY)
+ proto = ICMP6_ECHO_REQUEST;
+ ctx->th_dep.icmp.type = proto;
}
return;
}
@@ -554,33 +558,39 @@ void payload_dependency_reset(struct payload_dep_ctx *ctx)
memset(ctx, 0, sizeof(*ctx));
}
-static uint8_t icmp_get_type(const struct proto_desc *desc, uint8_t value)
+static bool payload_dependency_store_icmp_type(struct payload_dep_ctx *ctx,
+ const struct stmt *stmt)
{
- if (desc == &proto_icmp && value == 0)
- return ICMP_ECHO;
+ struct expr *dep = stmt->expr;
+ const struct proto_desc *desc;
+ const struct expr *right;
+ uint8_t type;
- return value;
-}
+ if (dep->left->etype != EXPR_PAYLOAD)
+ return false;
-static uint8_t icmp_get_dep_type(const struct proto_desc *desc, struct expr *right)
-{
- if (right->etype == EXPR_VALUE && right->len == BITS_PER_BYTE)
- return icmp_get_type(desc, mpz_get_uint8(right->value));
+ right = dep->right;
+ if (right->etype != EXPR_VALUE || right->len != BITS_PER_BYTE)
+ return false;
- return 0;
-}
+ desc = dep->left->payload.desc;
+ if (desc == &proto_icmp) {
+ type = mpz_get_uint8(right->value);
-static void payload_dependency_store_icmp_type(struct payload_dep_ctx *ctx)
-{
- struct expr *dep = ctx->pdep->expr;
- const struct proto_desc *desc;
+ if (type == ICMP_ECHOREPLY)
+ type = ICMP_ECHO;
- if (dep->left->etype != EXPR_PAYLOAD)
- return;
+ ctx->icmp_type = type;
- desc = dep->left->payload.desc;
- if (desc == &proto_icmp || desc == &proto_icmp6)
- ctx->icmp_type = icmp_get_dep_type(dep->left->payload.desc, dep->right);
+ return type == ICMP_ECHO;
+ } else if (desc == &proto_icmp6) {
+ type = mpz_get_uint8(right->value);
+
+ ctx->icmp_type = type;
+ return type == ICMP6_ECHO_REQUEST || type == ICMP6_ECHO_REPLY;
+ }
+
+ return false;
}
/**
@@ -593,10 +603,13 @@ static void payload_dependency_store_icmp_type(struct payload_dep_ctx *ctx)
void payload_dependency_store(struct payload_dep_ctx *ctx,
struct stmt *stmt, enum proto_bases base)
{
- ctx->pbase = base + 1;
- ctx->pdep = stmt;
+ bool ignore_dep = payload_dependency_store_icmp_type(ctx, stmt);
+
+ if (ignore_dep)
+ return;
- payload_dependency_store_icmp_type(ctx);
+ ctx->pdep = stmt;
+ ctx->pbase = base + 1;
}
/**
diff --git a/src/proto.c b/src/proto.c
index 63727605..2b61e0ba 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -1032,6 +1032,7 @@ const struct proto_desc proto_vlan = {
},
.templates = {
[VLANHDR_PCP] = VLANHDR_BITFIELD("pcp", 0, 3),
+ [VLANHDR_DEI] = VLANHDR_BITFIELD("dei", 3, 1),
[VLANHDR_CFI] = VLANHDR_BITFIELD("cfi", 3, 1),
[VLANHDR_VID] = VLANHDR_BITFIELD("id", 4, 12),
[VLANHDR_TYPE] = VLANHDR_TYPE("type", &ethertype_type, vlan_type),
diff --git a/src/rule.c b/src/rule.c
index 07a541a2..877eae3c 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -215,10 +215,6 @@ struct set *set_lookup_fuzzy(const char *set_name,
list_for_each_entry(set, &table->set_cache.list, cache.list) {
if (set_is_anonymous(set->flags))
continue;
- if (!strcmp(set->handle.set.name, set_name)) {
- *t = table;
- return set;
- }
if (string_misspell_update(set->handle.set.name,
set_name, set, &st))
*t = table;
@@ -730,7 +726,7 @@ void chain_free(struct chain *chain)
rule_free(rule);
handle_free(&chain->handle);
scope_release(&chain->scope);
- xfree(chain->type);
+ xfree(chain->type.str);
expr_free(chain->dev_expr);
for (i = 0; i < chain->dev_array_len; i++)
xfree(chain->dev_array[i]);
@@ -765,10 +761,6 @@ struct chain *chain_lookup_fuzzy(const struct handle *h,
list_for_each_entry(table, &cache->table_cache.list, cache.list) {
list_for_each_entry(chain, &table->chain_cache.list, cache.list) {
- if (!strcmp(chain->handle.chain.name, h->chain.name)) {
- *t = table;
- return chain;
- }
if (string_misspell_update(chain->handle.chain.name,
h->chain.name, chain, &st))
*t = table;
@@ -1024,7 +1016,7 @@ static void chain_print_declaration(const struct chain *chain,
nft_print(octx, "\n\t\tcomment \"%s\"", chain->comment);
nft_print(octx, "\n");
if (chain->flags & CHAIN_F_BASECHAIN) {
- nft_print(octx, "\t\ttype %s hook %s", chain->type,
+ nft_print(octx, "\t\ttype %s hook %s", chain->type.str,
hooknum2str(chain->handle.family, chain->hook.num));
if (chain->dev_array_len == 1) {
nft_print(octx, " device \"%s\"", chain->dev_array[0]);
@@ -1085,7 +1077,7 @@ void chain_print_plain(const struct chain *chain, struct output_ctx *octx)
mpz_export_data(&policy, chain->policy->value,
BYTEORDER_HOST_ENDIAN, sizeof(int));
nft_print(octx, " { type %s hook %s priority %s; policy %s; }",
- chain->type, chain->hook.name,
+ chain->type.str, chain->hook.name,
prio2str(octx, priobuf, sizeof(priobuf),
chain->handle.family, chain->hook.num,
chain->priority.expr),
@@ -1174,9 +1166,6 @@ struct table *table_lookup_fuzzy(const struct handle *h,
string_misspell_init(&st);
list_for_each_entry(table, &cache->table_cache.list, cache.list) {
- if (!strcmp(table->handle.table.name, h->table.name))
- return table;
-
string_misspell_update(table->handle.table.name,
h->table.name, table, &st);
}
@@ -1286,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
{
- if (cmd->num_attrs > NFT_NLATTR_LOC_MAX)
+ if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX)
return;
cmd->attr[cmd->num_attrs].offset = offset;
@@ -1297,11 +1286,11 @@ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
void nft_cmd_expand(struct cmd *cmd)
{
struct list_head new_cmds;
- struct set *set, *newset;
struct flowtable *ft;
struct table *table;
struct chain *chain;
struct rule *rule;
+ struct set *set;
struct obj *obj;
struct cmd *new;
struct handle h;
@@ -1367,14 +1356,13 @@ void nft_cmd_expand(struct cmd *cmd)
case CMD_OBJ_SET:
case CMD_OBJ_MAP:
set = cmd->set;
+ if (!set->init)
+ break;
+
memset(&h, 0, sizeof(h));
handle_merge(&h, &set->handle);
- newset = set_clone(set);
- newset->handle.set_id = set->handle.set_id;
- newset->init = set->init;
- set->init = NULL;
new = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEMS, &h,
- &set->location, newset);
+ &set->location, set_get(set));
list_add(&new->list, &cmd->list);
break;
default:
@@ -1472,7 +1460,7 @@ void cmd_free(struct cmd *cmd)
#include <netlink.h>
#include <mnl.h>
-static int __do_add_setelems(struct netlink_ctx *ctx, struct set *set,
+static int __do_add_elements(struct netlink_ctx *ctx, struct set *set,
struct expr *expr, uint32_t flags)
{
expr->set_flags |= set->flags;
@@ -1492,7 +1480,7 @@ static int __do_add_setelems(struct netlink_ctx *ctx, struct set *set,
return 0;
}
-static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
+static int do_add_elements(struct netlink_ctx *ctx, struct cmd *cmd,
uint32_t flags)
{
struct expr *init = cmd->expr;
@@ -1504,27 +1492,35 @@ static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
&ctx->nft->output) < 0)
return -1;
- return __do_add_setelems(ctx, set, init, flags);
+ return __do_add_elements(ctx, set, init, flags);
+}
+
+static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
+ uint32_t flags)
+{
+ struct set *set = cmd->set;
+
+ return __do_add_elements(ctx, set, set->init, flags);
}
static int do_add_set(struct netlink_ctx *ctx, struct cmd *cmd,
- uint32_t flags, bool add)
+ uint32_t flags)
{
struct set *set = cmd->set;
if (set->init != NULL) {
+ /* Update set->init->size (NFTNL_SET_DESC_SIZE) before adding
+ * the set to the kernel. Calling this from do_add_setelems()
+ * comes too late which might result in spurious ENFILE errors.
+ */
if (set_is_non_concat_range(set) &&
set_to_intervals(ctx->msgs, set, set->init, true,
ctx->nft->debug_mask, set->automerge,
&ctx->nft->output) < 0)
return -1;
}
- if (add && mnl_nft_set_add(ctx, cmd, flags) < 0)
- return -1;
- if (set->init != NULL) {
- return __do_add_setelems(ctx, set, set->init, flags);
- }
- return 0;
+
+ return mnl_nft_set_add(ctx, cmd, flags);
}
static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
@@ -1542,11 +1538,11 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
case CMD_OBJ_RULE:
return mnl_nft_rule_add(ctx, cmd, flags | NLM_F_APPEND);
case CMD_OBJ_SET:
- return do_add_set(ctx, cmd, flags, true);
+ return do_add_set(ctx, cmd, flags);
case CMD_OBJ_SETELEMS:
- return do_add_set(ctx, cmd, flags, false);
- case CMD_OBJ_ELEMENTS:
return do_add_setelems(ctx, cmd, flags);
+ case CMD_OBJ_ELEMENTS:
+ return do_add_elements(ctx, cmd, flags);
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
case CMD_OBJ_CT_HELPER:
@@ -1713,6 +1709,15 @@ void obj_free(struct obj *obj)
return;
xfree(obj->comment);
handle_free(&obj->handle);
+ if (obj->type == NFT_OBJECT_CT_TIMEOUT) {
+ struct timeout_state *ts, *next;
+
+ list_for_each_entry_safe(ts, next, &obj->ct_timeout.timeout_list, head) {
+ list_del(&ts->head);
+ xfree(ts->timeout_str);
+ xfree(ts);
+ }
+ }
xfree(obj);
}
@@ -1728,10 +1733,6 @@ struct obj *obj_lookup_fuzzy(const char *obj_name,
list_for_each_entry(table, &cache->table_cache.list, cache.list) {
list_for_each_entry(obj, &table->obj_cache.list, cache.list) {
- if (!strcmp(obj->handle.obj.name, obj_name)) {
- *t = table;
- return obj;
- }
if (string_misspell_update(obj->handle.obj.name,
obj_name, obj, &st))
*t = table;
@@ -2206,10 +2207,6 @@ struct flowtable *flowtable_lookup_fuzzy(const char *ft_name,
list_for_each_entry(table, &cache->table_cache.list, cache.list) {
list_for_each_entry(ft, &table->ft_cache.list, cache.list) {
- if (!strcmp(ft->handle.flowtable.name, ft_name)) {
- *t = table;
- return ft;
- }
if (string_misspell_update(ft->handle.flowtable.name,
ft_name, ft, &st))
*t = table;
@@ -2383,6 +2380,17 @@ static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd,
return 0;
}
+static int do_list_hooks(struct netlink_ctx *ctx, struct cmd *cmd)
+{
+ const char *devname = cmd->handle.obj.name;
+ int hooknum = -1;
+
+ if (cmd->handle.chain.name)
+ hooknum = cmd->handle.chain_id;
+
+ return mnl_nft_dump_nf_hooks(ctx, cmd->handle.family, hooknum, devname);
+}
+
static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
{
struct table *table = NULL;
@@ -2443,6 +2451,8 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
return do_list_flowtable(ctx, cmd, table);
case CMD_OBJ_FLOWTABLES:
return do_list_flowtables(ctx, cmd);
+ case CMD_OBJ_HOOKS:
+ return do_list_hooks(ctx, cmd);
default:
BUG("invalid command object type %u\n", cmd->obj);
}
diff --git a/src/scanner.l b/src/scanner.l
index 72469b4e..6cc7778d 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -204,14 +204,17 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%s SCANSTATE_IP6
%s SCANSTATE_LIMIT
%s SCANSTATE_QUOTA
+%s SCANSTATE_SCTP
%s SCANSTATE_SECMARK
%s SCANSTATE_VLAN
+%s SCANSTATE_CMD_LIST
%s SCANSTATE_EXPR_FIB
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_IPSEC
%s SCANSTATE_EXPR_NUMGEN
%s SCANSTATE_EXPR_QUEUE
%s SCANSTATE_EXPR_RT
+%s SCANSTATE_EXPR_SCTP_CHUNK
%s SCANSTATE_EXPR_SOCKET
%s SCANSTATE_STMT_LOG
@@ -315,7 +318,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"insert" { return INSERT; }
"delete" { return DELETE; }
"get" { return GET; }
-"list" { return LIST; }
+"list" { scanner_push_start_cond(yyscanner, SCANSTATE_CMD_LIST); return LIST; }
"reset" { return RESET; }
"flush" { return FLUSH; }
"rename" { return RENAME; }
@@ -344,9 +347,15 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"flow" { return FLOW; }
"offload" { return OFFLOAD; }
"meter" { return METER; }
-"meters" { return METERS; }
-"flowtables" { return FLOWTABLES; }
+<SCANSTATE_CMD_LIST>{
+ "meters" { return METERS; }
+ "flowtables" { return FLOWTABLES; }
+ "limits" { return LIMITS; }
+ "secmarks" { return SECMARKS; }
+ "synproxys" { return SYNPROXYS; }
+ "hooks" { return HOOKS; }
+}
"counter" { scanner_push_start_cond(yyscanner, SCANSTATE_COUNTER); return COUNTER; }
"name" { return NAME; }
@@ -355,8 +364,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"counters" { return COUNTERS; }
"quotas" { return QUOTAS; }
-"limits" { return LIMITS; }
-"synproxys" { return SYNPROXYS; }
"log" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_LOG); return LOG; }
"prefix" { return PREFIX; }
@@ -422,6 +429,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"id" { return ID; }
<SCANSTATE_VLAN>{
"cfi" { return CFI; }
+ "dei" { return DEI; }
"pcp" { return PCP; }
}
"8021ad" { yylval->string = xstrdup(yytext); return STRING; }
@@ -526,8 +534,48 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"dccp" { return DCCP; }
-"sctp" { return SCTP; }
-"vtag" { return VTAG; }
+"sctp" { scanner_push_start_cond(yyscanner, SCANSTATE_SCTP); return SCTP; }
+
+<SCANSTATE_SCTP>{
+ "chunk" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_SCTP_CHUNK); return CHUNK; }
+ "vtag" { return VTAG; }
+}
+
+<SCANSTATE_EXPR_SCTP_CHUNK>{
+ "data" { return DATA; }
+ "init" { return INIT; }
+ "init-ack" { return INIT_ACK; }
+ "heartbeat" { return HEARTBEAT; }
+ "heartbeat-ack" { return HEARTBEAT_ACK; }
+ "abort" { return ABORT; }
+ "shutdown" { return SHUTDOWN; }
+ "shutdown-ack" { return SHUTDOWN_ACK; }
+ "error" { return ERROR; }
+ "cookie-echo" { return COOKIE_ECHO; }
+ "cookie-ack" { return COOKIE_ACK; }
+ "ecne" { return ECNE; }
+ "cwr" { return CWR; }
+ "shutdown-complete" { return SHUTDOWN_COMPLETE; }
+ "asconf-ack" { return ASCONF_ACK; }
+ "forward-tsn" { return FORWARD_TSN; }
+ "asconf" { return ASCONF; }
+
+ "tsn" { return TSN; }
+ "stream" { return STREAM; }
+ "ssn" { return SSN; }
+ "ppid" { return PPID; }
+ "init-tag" { return INIT_TAG; }
+ "a-rwnd" { return A_RWND; }
+ "num-outbound-streams" { return NUM_OSTREAMS; }
+ "num-inbound-streams" { return NUM_ISTREAMS; }
+ "initial-tsn" { return INIT_TSN; }
+ "cum-tsn-ack" { return CUM_TSN_ACK; }
+ "num-gap-ack-blocks" { return NUM_GACK_BLOCKS; }
+ "num-dup-tsns" { return NUM_DUP_TSNS; }
+ "lowest-tsn" { return LOWEST_TSN; }
+ "seqno" { return SEQNO; }
+ "new-cum-tsn" { return NEW_CUM_TSN; }
+}
"rt" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_RT); return RT; }
"rt0" { return RT0; }
@@ -645,7 +693,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
}
"secmark" { scanner_push_start_cond(yyscanner, SCANSTATE_SECMARK); return SECMARK; }
-"secmarks" { return SECMARKS; }
{addrstring} {
yylval->string = xstrdup(yytext);
diff --git a/src/sctp_chunk.c b/src/sctp_chunk.c
new file mode 100644
index 00000000..6e73e72f
--- /dev/null
+++ b/src/sctp_chunk.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright Red Hat
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 (or any
+ * later) as published by the Free Software Foundation.
+ */
+
+#include <exthdr.h>
+#include <sctp_chunk.h>
+
+#include <string.h>
+
+#define PHT(__token, __offset, __len) \
+ PROTO_HDR_TEMPLATE(__token, &integer_type, BYTEORDER_BIG_ENDIAN, \
+ __offset, __len)
+
+static const struct exthdr_desc sctp_chunk_data = {
+ .name = "data",
+ .type = SCTP_CHUNK_TYPE_DATA,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_DATA_TSN] = PHT("tsn", 32, 32),
+ [SCTP_CHUNK_DATA_STREAM] = PHT("stream", 64, 16),
+ [SCTP_CHUNK_DATA_SSN] = PHT("ssn", 80, 16),
+ [SCTP_CHUNK_DATA_PPID] = PHT("ppid", 96, 32),
+ },
+};
+
+static const struct exthdr_desc sctp_chunk_init = {
+ .name = "init",
+ .type = SCTP_CHUNK_TYPE_INIT,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_INIT_TAG] = PHT("init-tag", 32, 32),
+ [SCTP_CHUNK_INIT_RWND] = PHT("a-rwnd", 64, 32),
+ [SCTP_CHUNK_INIT_OSTREAMS] = PHT("num-outbound-streams", 96, 16),
+ [SCTP_CHUNK_INIT_ISTREAMS] = PHT("num-inbound-streams", 112, 16),
+ [SCTP_CHUNK_INIT_TSN] = PHT("initial-tsn", 128, 32),
+ },
+};
+
+static const struct exthdr_desc sctp_chunk_init_ack = {
+ .name = "init-ack",
+ .type = SCTP_CHUNK_TYPE_INIT_ACK,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_INIT_TAG] = PHT("init-tag", 32, 32),
+ [SCTP_CHUNK_INIT_RWND] = PHT("a-rwnd", 64, 32),
+ [SCTP_CHUNK_INIT_OSTREAMS] = PHT("num-outbound-streams", 96, 16),
+ [SCTP_CHUNK_INIT_ISTREAMS] = PHT("num-inbound-streams", 112, 16),
+ [SCTP_CHUNK_INIT_TSN] = PHT("initial-tsn", 128, 32),
+ },
+};
+
+static const struct exthdr_desc sctp_chunk_sack = {
+ .name = "sack",
+ .type = SCTP_CHUNK_TYPE_SACK,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_SACK_CTSN_ACK] = PHT("cum-tsn-ack", 32, 32),
+ [SCTP_CHUNK_SACK_RWND] = PHT("a-rwnd", 64, 32),
+ [SCTP_CHUNK_SACK_GACK_BLOCKS] = PHT("num-gap-ack-blocks", 96, 16),
+ [SCTP_CHUNK_SACK_DUP_TSNS] = PHT("num-dup-tsns", 112, 16),
+ },
+};
+
+static const struct exthdr_desc sctp_chunk_shutdown = {
+ .name = "shutdown",
+ .type = SCTP_CHUNK_TYPE_SHUTDOWN,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_SHUTDOWN_CTSN_ACK] = PHT("cum-tsn-ack", 32, 32),
+ },
+};
+
+static const struct exthdr_desc sctp_chunk_ecne = {
+ .name = "ecne",
+ .type = SCTP_CHUNK_TYPE_ECNE,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_ECNE_CWR_MIN_TSN] = PHT("lowest-tsn", 32, 32),
+ },
+};
+
+static const struct exthdr_desc sctp_chunk_cwr = {
+ .name = "cwr",
+ .type = SCTP_CHUNK_TYPE_CWR,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_ECNE_CWR_MIN_TSN] = PHT("lowest-tsn", 32, 32),
+ },
+};
+
+static const struct exthdr_desc sctp_chunk_asconf_ack = {
+ .name = "asconf-ack",
+ .type = SCTP_CHUNK_TYPE_ASCONF_ACK,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_ASCONF_SEQNO] = PHT("seqno", 32, 32),
+ },
+};
+
+static const struct exthdr_desc sctp_chunk_forward_tsn = {
+ .name = "forward-tsn",
+ .type = SCTP_CHUNK_TYPE_FORWARD_TSN,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_FORWARD_TSN_NCTSN] = PHT("new-cum-tsn", 32, 32),
+ },
+};
+
+static const struct exthdr_desc sctp_chunk_asconf = {
+ .name = "asconf",
+ .type = SCTP_CHUNK_TYPE_ASCONF,
+ .templates = {
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8),
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8),
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),
+ [SCTP_CHUNK_ASCONF_SEQNO] = PHT("seqno", 32, 32),
+ },
+};
+
+#define SCTP_CHUNK_DESC_GENERATOR(descname, hname, desctype) \
+static const struct exthdr_desc sctp_chunk_##descname = { \
+ .name = #hname, \
+ .type = SCTP_CHUNK_TYPE_##desctype, \
+ .templates = { \
+ [SCTP_CHUNK_COMMON_TYPE] = PHT("type", 0, 8), \
+ [SCTP_CHUNK_COMMON_FLAGS] = PHT("flags", 8, 8), \
+ [SCTP_CHUNK_COMMON_LENGTH] = PHT("length", 16, 16),\
+ }, \
+};
+
+SCTP_CHUNK_DESC_GENERATOR(heartbeat, heartbeat, HEARTBEAT)
+SCTP_CHUNK_DESC_GENERATOR(heartbeat_ack, heartbeat-ack, HEARTBEAT_ACK)
+SCTP_CHUNK_DESC_GENERATOR(abort, abort, ABORT)
+SCTP_CHUNK_DESC_GENERATOR(shutdown_ack, shutdown-ack, SHUTDOWN_ACK)
+SCTP_CHUNK_DESC_GENERATOR(error, error, ERROR)
+SCTP_CHUNK_DESC_GENERATOR(cookie_echo, cookie-echo, COOKIE_ECHO)
+SCTP_CHUNK_DESC_GENERATOR(cookie_ack, cookie-ack, COOKIE_ACK)
+SCTP_CHUNK_DESC_GENERATOR(shutdown_complete, shutdown-complete, SHUTDOWN_COMPLETE)
+
+#undef SCTP_CHUNK_DESC_GENERATOR
+
+static const struct exthdr_desc *sctp_chunk_protocols[] = {
+ [SCTP_CHUNK_TYPE_DATA] = &sctp_chunk_data,
+ [SCTP_CHUNK_TYPE_INIT] = &sctp_chunk_init,
+ [SCTP_CHUNK_TYPE_INIT_ACK] = &sctp_chunk_init_ack,
+ [SCTP_CHUNK_TYPE_SACK] = &sctp_chunk_sack,
+ [SCTP_CHUNK_TYPE_HEARTBEAT] = &sctp_chunk_heartbeat,
+ [SCTP_CHUNK_TYPE_HEARTBEAT_ACK] = &sctp_chunk_heartbeat_ack,
+ [SCTP_CHUNK_TYPE_ABORT] = &sctp_chunk_abort,
+ [SCTP_CHUNK_TYPE_SHUTDOWN] = &sctp_chunk_shutdown,
+ [SCTP_CHUNK_TYPE_SHUTDOWN_ACK] = &sctp_chunk_shutdown_ack,
+ [SCTP_CHUNK_TYPE_ERROR] = &sctp_chunk_error,
+ [SCTP_CHUNK_TYPE_COOKIE_ECHO] = &sctp_chunk_cookie_echo,
+ [SCTP_CHUNK_TYPE_COOKIE_ACK] = &sctp_chunk_cookie_ack,
+ [SCTP_CHUNK_TYPE_ECNE] = &sctp_chunk_ecne,
+ [SCTP_CHUNK_TYPE_CWR] = &sctp_chunk_cwr,
+ [SCTP_CHUNK_TYPE_SHUTDOWN_COMPLETE] = &sctp_chunk_shutdown_complete,
+ [SCTP_CHUNK_TYPE_ASCONF_ACK] = &sctp_chunk_asconf_ack,
+ [SCTP_CHUNK_TYPE_FORWARD_TSN] = &sctp_chunk_forward_tsn,
+ [SCTP_CHUNK_TYPE_ASCONF] = &sctp_chunk_asconf,
+};
+
+const struct exthdr_desc *sctp_chunk_protocol_find(const char *name)
+{
+ unsigned int i;
+
+ for (i = 0; i < array_size(sctp_chunk_protocols); i++) {
+ if (sctp_chunk_protocols[i] &&
+ !strcmp(sctp_chunk_protocols[i]->name, name))
+ return sctp_chunk_protocols[i];
+ }
+ return NULL;
+}
+
+struct expr *sctp_chunk_expr_alloc(const struct location *loc,
+ unsigned int type, unsigned int field)
+{
+ const struct proto_hdr_template *tmpl;
+ const struct exthdr_desc *desc = NULL;
+ struct expr *expr;
+
+ if (type < array_size(sctp_chunk_protocols))
+ desc = sctp_chunk_protocols[type];
+
+ if (!desc)
+ return NULL;
+
+ tmpl = &desc->templates[field];
+ if (!tmpl)
+ return NULL;
+
+ expr = expr_alloc(loc, EXPR_EXTHDR, tmpl->dtype,
+ BYTEORDER_BIG_ENDIAN, tmpl->len);
+ expr->exthdr.desc = desc;
+ expr->exthdr.tmpl = tmpl;
+ expr->exthdr.op = NFT_EXTHDR_OP_SCTP;
+ expr->exthdr.raw_type = desc->type;
+ expr->exthdr.offset = tmpl->offset;
+
+ return expr;
+}
+
+void sctp_chunk_init_raw(struct expr *expr, uint8_t type, unsigned int off,
+ unsigned int len, uint32_t flags)
+{
+ const struct proto_hdr_template *tmpl;
+ unsigned int i;
+
+ assert(expr->etype == EXPR_EXTHDR);
+
+ expr->len = len;
+ expr->exthdr.flags = flags;
+ expr->exthdr.offset = off;
+ expr->exthdr.op = NFT_EXTHDR_OP_SCTP;
+
+ if (flags & NFT_EXTHDR_F_PRESENT)
+ datatype_set(expr, &boolean_type);
+ else
+ datatype_set(expr, &integer_type);
+
+ if (type >= array_size(sctp_chunk_protocols))
+ return;
+
+ expr->exthdr.desc = sctp_chunk_protocols[type];
+ expr->exthdr.flags = flags;
+ assert(expr->exthdr.desc != NULL);
+
+ for (i = 0; i < array_size(expr->exthdr.desc->templates); ++i) {
+ tmpl = &expr->exthdr.desc->templates[i];
+ if (tmpl->offset != off || tmpl->len != len)
+ continue;
+
+ if ((flags & NFT_EXTHDR_F_PRESENT) == 0)
+ datatype_set(expr, tmpl->dtype);
+
+ expr->exthdr.tmpl = tmpl;
+ break;
+ }
+}
diff --git a/src/segtree.c b/src/segtree.c
index a4e047e7..f721954f 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -288,6 +288,7 @@ out:
return 0;
err:
+ mpz_clear(p);
errno = EEXIST;
if (new->expr->etype == EXPR_MAPPING) {
new_expr = new->expr->left;
@@ -435,10 +436,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
struct expr *init, struct seg_tree *tree,
bool add, bool merge)
{
- struct elementary_interval *intervals[init->size];
+ struct elementary_interval **intervals;
struct expr *i, *next;
- unsigned int n;
- int err;
+ unsigned int n, m;
+ int err = 0;
/* We are updating an existing set with new elements, check if the new
* interval overlaps with any of the existing ones.
@@ -449,6 +450,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
return err;
}
+ intervals = xmalloc_array(init->size, sizeof(intervals[0]));
n = expr_to_intervals(init, tree->keylen, intervals);
list_for_each_entry_safe(i, next, &init->expressions, list) {
@@ -466,11 +468,23 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
*/
for (n = 0; n < init->size; n++) {
err = ei_insert(msgs, tree, intervals[n], merge);
- if (err < 0)
- return err;
+ if (err < 0) {
+ struct elementary_interval *ei;
+ struct rb_node *node, *next;
+
+ for (m = n; m < init->size; m++)
+ ei_destroy(intervals[m]);
+
+ rb_for_each_entry_safe(ei, node, next, &tree->root, rb_node) {
+ ei_remove(tree, ei);
+ ei_destroy(ei);
+ }
+ break;
+ }
}
- return 0;
+ xfree(intervals);
+ return err;
}
static bool segtree_needs_first_segment(const struct set *set,
@@ -535,7 +549,7 @@ static void segtree_linearize(struct list_head *list, const struct set *set,
*/
mpz_add_ui(p, prev->right, 1);
if (mpz_cmp(p, ei->left) < 0 ||
- (!(set->flags & NFT_SET_ANONYMOUS) && !merge)) {
+ (!set_is_anonymous(set->flags) && !merge)) {
mpz_sub_ui(q, ei->left, 1);
nei = ei_alloc(p, q, NULL, EI_F_INTERVAL_END);
list_add_tail(&nei->list, list);
diff --git a/src/statement.c b/src/statement.c
index f7f1c0c4..97b163e8 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -201,7 +201,7 @@ struct stmt *meter_stmt_alloc(const struct location *loc)
static void connlimit_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
{
- nft_print(octx, "ct count %s%u ",
+ nft_print(octx, "ct count %s%u",
stmt->connlimit.flags ? "over " : "", stmt->connlimit.count);
}
@@ -493,20 +493,30 @@ struct stmt *limit_stmt_alloc(const struct location *loc)
static void queue_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
{
- const char *delim = " ";
+ struct expr *e = stmt->queue.queue;
+ const char *delim = " flags ";
nft_print(octx, "queue");
- if (stmt->queue.queue != NULL) {
- nft_print(octx, " num ");
- expr_print(stmt->queue.queue, octx);
- }
+
if (stmt->queue.flags & NFT_QUEUE_FLAG_BYPASS) {
nft_print(octx, "%sbypass", delim);
delim = ",";
}
+
if (stmt->queue.flags & NFT_QUEUE_FLAG_CPU_FANOUT)
nft_print(octx, "%sfanout", delim);
+ if (e) {
+ if (e->etype == EXPR_VALUE || e->etype == EXPR_RANGE) {
+ nft_print(octx, " num ");
+ expr_print(stmt->queue.queue, octx);
+ } else {
+ nft_print(octx, " to ");
+ expr_print(stmt->queue.queue, octx);
+ }
+ } else {
+ nft_print(octx, " num 0");
+ }
}
static void queue_stmt_destroy(struct stmt *stmt)
@@ -522,9 +532,15 @@ static const struct stmt_ops queue_stmt_ops = {
.destroy = queue_stmt_destroy,
};
-struct stmt *queue_stmt_alloc(const struct location *loc)
+struct stmt *queue_stmt_alloc(const struct location *loc, struct expr *e, uint16_t flags)
{
- return stmt_alloc(loc, &queue_stmt_ops);
+ struct stmt *stmt;
+
+ stmt = stmt_alloc(loc, &queue_stmt_ops);
+ stmt->queue.queue = e;
+ stmt->queue.flags = flags;
+
+ return stmt;
}
static void quota_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
@@ -569,7 +585,7 @@ static void reject_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
case NFT_REJECT_ICMPX_UNREACH:
if (stmt->reject.icmp_code == NFT_REJECT_ICMPX_PORT_UNREACH)
break;
- nft_print(octx, " with icmpx type ");
+ nft_print(octx, " with icmpx ");
expr_print(stmt->reject.expr, octx);
break;
case NFT_REJECT_ICMP_UNREACH:
@@ -578,14 +594,14 @@ static void reject_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
if (!stmt->reject.verbose_print &&
stmt->reject.icmp_code == ICMP_PORT_UNREACH)
break;
- nft_print(octx, " with icmp type ");
+ nft_print(octx, " with icmp ");
expr_print(stmt->reject.expr, octx);
break;
case NFPROTO_IPV6:
if (!stmt->reject.verbose_print &&
stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT)
break;
- nft_print(octx, " with icmpv6 type ");
+ nft_print(octx, " with icmpv6 ");
expr_print(stmt->reject.expr, octx);
break;
}
@@ -657,12 +673,8 @@ static void nat_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
break;
}
- if (stmt->nat.type_flags & STMT_NAT_F_CONCAT)
- nft_print(octx, " addr . port");
- else if (stmt->nat.type_flags & STMT_NAT_F_PREFIX)
+ if (stmt->nat.type_flags & STMT_NAT_F_PREFIX)
nft_print(octx, " prefix");
- else if (stmt->nat.type_flags & STMT_NAT_F_INTERVAL)
- nft_print(octx, " interval");
nft_print(octx, " to");
}
diff --git a/src/utils.c b/src/utils.c
index 47f5b791..925841c5 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -50,6 +50,16 @@ void *xmalloc_array(size_t nmemb, size_t size)
return xmalloc(nmemb * size);
}
+void *xzalloc_array(size_t nmemb, size_t size)
+{
+ void *ptr;
+
+ ptr = xmalloc_array(nmemb, size);
+ memset(ptr, 0, nmemb * size);
+
+ return ptr;
+}
+
void *xrealloc(void *ptr, size_t size)
{
ptr = realloc(ptr, size);
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index 0b894cce..125b0a3f 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -115,8 +115,6 @@ meta skgid gt 3000 accept;ok;meta skgid > 3000 accept
meta skgid eq 3000 accept;ok;meta skgid 3000 accept
meta skgid 2001-2005 accept;ok
meta skgid != 2001-2005 accept;ok
-meta skgid { 2001-2005} accept;ok
-meta skgid != { 2001-2005} accept;ok
# BUG: meta nftrace 2 and meta nftrace 1
# $ sudo nft add rule ip test input meta nftrace 2
@@ -194,8 +192,6 @@ meta cgroup { 1048577, 1048578 };ok
meta cgroup != { 1048577, 1048578};ok
meta cgroup 1048577-1048578;ok
meta cgroup != 1048577-1048578;ok
-meta cgroup {1048577-1048578};ok
-meta cgroup != { 1048577-1048578};ok
meta iif . meta oif { "lo" . "lo" };ok;iif . oif { "lo" . "lo" }
meta iif . meta oif . meta mark { "lo" . "lo" . 0x0000000a };ok;iif . oif . meta mark { "lo" . "lo" . 0x0000000a }
diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json
index 1a98843c..fd4d1c2a 100644
--- a/tests/py/any/meta.t.json
+++ b/tests/py/any/meta.t.json
@@ -1476,46 +1476,6 @@
}
]
-# meta skgid { 2001-2005} accept
-[
- {
- "match": {
- "left": {
- "meta": { "key": "skgid" }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 2001, 2005 ] }
- ]
- }
- }
- },
- {
- "accept": null
- }
-]
-
-# meta skgid != { 2001-2005} accept
-[
- {
- "match": {
- "left": {
- "meta": { "key": "skgid" }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 2001, 2005 ] }
- ]
- }
- }
- },
- {
- "accept": null
- }
-]
-
# meta mark set 0xffffffc8 xor 0x16
[
{
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index 4e43905e..b79a0255 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -961,44 +961,6 @@ ip test-ip4 input
[ meta load oifgroup => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# meta skgid { 2001-2005} accept
-__set%d test-ip4 7 size 3
-__set%d test-ip4 0
- element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end]
-ip test-ip4 input
- [ meta load skgid => reg 1 ]
- [ byteorder reg 1 = hton(reg 1, 4, 4) ]
- [ lookup reg 1 set __set%d ]
- [ immediate reg 0 accept ]
-
-# meta skgid != { 2001-2005} accept
-__set%d test-ip4 7 size 3
-__set%d test-ip4 0
- element 00000000 : 1 [end] element d1070000 : 0 [end] element d6070000 : 1 [end]
-ip test-ip4 input
- [ meta load skgid => reg 1 ]
- [ byteorder reg 1 = hton(reg 1, 4, 4) ]
- [ lookup reg 1 set __set%d 0x1 ]
- [ immediate reg 0 accept ]
-
-# meta cgroup {1048577-1048578}
-__set%d test-ip4 7 size 3
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 01001000 : 0 [end] element 03001000 : 1 [end]
-ip test-ip4 input
- [ meta load cgroup => reg 1 ]
- [ byteorder reg 1 = hton(reg 1, 4, 4) ]
- [ lookup reg 1 set __set%d ]
-
-# meta cgroup != { 1048577-1048578}
-__set%d test-ip4 7 size 3
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 01001000 : 0 [end] element 03001000 : 1 [end]
-ip test-ip4 input
- [ meta load cgroup => reg 1 ]
- [ byteorder reg 1 = hton(reg 1, 4, 4) ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# meta time "1970-05-23 21:07:14" drop
ip meta-test input
[ meta load time => reg 1 ]
diff --git a/tests/py/any/queue.t b/tests/py/any/queue.t
index 75c071dd..446b8b18 100644
--- a/tests/py/any/queue.t
+++ b/tests/py/any/queue.t
@@ -12,7 +12,17 @@ queue num 65535;ok
queue num 65536;fail
queue num 2-3;ok
queue num 1-65535;ok
-- queue num {3, 4, 6};ok
-queue num 4-5 fanout bypass;ok;queue num 4-5 bypass,fanout
-queue num 4-5 fanout;ok
-queue num 4-5 bypass;ok
+queue num 4-5 fanout bypass;ok;queue flags bypass,fanout num 4-5
+queue num 4-5 fanout;ok;queue flags fanout num 4-5
+queue num 4-5 bypass;ok;queue flags bypass num 4-5
+
+queue to symhash mod 2 offset 65536;fail
+queue num symhash mod 65536;fail
+queue to symhash mod 65536;ok
+queue flags fanout to symhash mod 65536;fail
+queue flags bypass,fanout to symhash mod 65536;fail
+queue flags bypass to numgen inc mod 65536;ok
+queue to jhash oif . meta mark mod 32;ok
+queue to oif;fail
+queue num oif;fail
+queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 };ok
diff --git a/tests/py/any/queue.t.json b/tests/py/any/queue.t.json
index 48e86727..162bdff8 100644
--- a/tests/py/any/queue.t.json
+++ b/tests/py/any/queue.t.json
@@ -84,3 +84,93 @@
}
]
+# queue to symhash mod 65536
+[
+ {
+ "queue": {
+ "num": {
+ "symhash": {
+ "mod": 65536
+ }
+ }
+ }
+ }
+]
+
+# queue flags bypass to numgen inc mod 65536
+[
+ {
+ "queue": {
+ "flags": "bypass",
+ "num": {
+ "numgen": {
+ "mod": 65536,
+ "mode": "inc",
+ "offset": 0
+ }
+ }
+ }
+ }
+]
+
+# queue to jhash oif . meta mark mod 32
+[
+ {
+ "queue": {
+ "num": {
+ "jhash": {
+ "expr": {
+ "concat": [
+ {
+ "meta": {
+ "key": "oif"
+ }
+ },
+ {
+ "meta": {
+ "key": "mark"
+ }
+ }
+ ]
+ },
+ "mod": 32
+ }
+ }
+ }
+ }
+]
+
+# queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
+[
+ {
+ "queue": {
+ "flags": "bypass",
+ "num": {
+ "map": {
+ "data": {
+ "set": [
+ [
+ "eth0",
+ 0
+ ],
+ [
+ "ppp0",
+ 2
+ ],
+ [
+ "eth1",
+ 2
+ ]
+ ]
+ },
+ "key": {
+ "meta": {
+ "key": "oifname"
+ }
+ }
+ }
+ }
+ }
+ }
+]
+
diff --git a/tests/py/any/queue.t.payload b/tests/py/any/queue.t.payload
index 78d939c6..02660afa 100644
--- a/tests/py/any/queue.t.payload
+++ b/tests/py/any/queue.t.payload
@@ -30,3 +30,28 @@ ip test-ip4 output
ip test-ip4 output
[ queue num 4-5 bypass ]
+# queue to symhash mod 65536
+ip
+ [ hash reg 1 = symhash() % mod 65536 ]
+ [ queue sreg_qnum 1 ]
+
+# queue to jhash oif . meta mark mod 32
+ip
+ [ meta load oif => reg 2 ]
+ [ meta load mark => reg 13 ]
+ [ hash reg 1 = jhash(reg 2, 8, 0x0) % mod 32 ]
+ [ queue sreg_qnum 1 ]
+
+# queue flags bypass to numgen inc mod 65536
+ip
+ [ numgen reg 1 = inc mod 65536 ]
+ [ queue sreg_qnum 1 bypass ]
+
+# queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }
+__map%d test-ip4 b size 3
+__map%d test-ip4 0
+ element 30687465 00000000 00000000 00000000 : 00000000 0 [end] element 30707070 00000000 00000000 00000000 : 00000002 0 [end] element 31687465 00000000 00000000 00000000 : 00000002 0 [end]
+ip
+ [ meta load oifname => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ queue sreg_qnum 1 bypass ]
diff --git a/tests/py/arp/arp.t b/tests/py/arp/arp.t
index 2eee7838..178cf82b 100644
--- a/tests/py/arp/arp.t
+++ b/tests/py/arp/arp.t
@@ -13,8 +13,6 @@ arp htype 33-45;ok
arp htype != 33-45;ok
arp htype { 33, 55, 67, 88};ok
arp htype != { 33, 55, 67, 88};ok
-arp htype { 33-55};ok
-arp htype != { 33-55};ok
arp ptype 0x0800;ok;arp ptype ip
@@ -24,8 +22,6 @@ arp hlen 33-45;ok
arp hlen != 33-45;ok
arp hlen { 33, 55, 67, 88};ok
arp hlen != { 33, 55, 67, 88};ok
-arp hlen { 33-55};ok
-arp hlen != { 33-55};ok
arp plen 22;ok
arp plen != 233;ok
@@ -33,8 +29,6 @@ arp plen 33-45;ok
arp plen != 33-45;ok
arp plen { 33, 55, 67, 88};ok
arp plen != { 33, 55, 67, 88};ok
-arp plen { 33-55};ok
-arp plen != {33-55};ok
arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request};ok
diff --git a/tests/py/arp/arp.t.json b/tests/py/arp/arp.t.json
index 73224f7e..7ce76095 100644
--- a/tests/py/arp/arp.t.json
+++ b/tests/py/arp/arp.t.json
@@ -144,46 +144,6 @@
}
]
-# arp htype { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "htype",
- "protocol": "arp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# arp htype != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "htype",
- "protocol": "arp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# arp ptype 0x0800
[
{
@@ -314,46 +274,6 @@
}
]
-# arp hlen { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "hlen",
- "protocol": "arp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# arp hlen != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "hlen",
- "protocol": "arp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# arp plen 22
[
{
@@ -468,46 +388,6 @@
}
]
-# arp plen { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "plen",
- "protocol": "arp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# arp plen != {33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "plen",
- "protocol": "arp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
[
{
diff --git a/tests/py/arp/arp.t.payload b/tests/py/arp/arp.t.payload
index a95c834e..d56927b5 100644
--- a/tests/py/arp/arp.t.payload
+++ b/tests/py/arp/arp.t.payload
@@ -45,22 +45,6 @@ arp test-arp input
[ payload load 2b @ network header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# arp htype { 33-55}
-__set%d test-arp 7
-__set%d test-arp 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-arp test-arp input
- [ payload load 2b @ network header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# arp htype != { 33-55}
-__set%d test-arp 7
-__set%d test-arp 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-arp test-arp input
- [ payload load 2b @ network header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# arp ptype 0x0800
arp test-arp input
[ payload load 2b @ network header + 2 => reg 1 ]
@@ -103,22 +87,6 @@ arp test-arp input
[ payload load 1b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# arp hlen { 33-55}
-__set%d test-arp 7
-__set%d test-arp 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-arp test-arp input
- [ payload load 1b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# arp hlen != { 33-55}
-__set%d test-arp 7
-__set%d test-arp 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-arp test-arp input
- [ payload load 1b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# arp plen 22
arp test-arp input
[ payload load 1b @ network header + 5 => reg 1 ]
@@ -156,22 +124,6 @@ arp test-arp input
[ payload load 1b @ network header + 5 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# arp plen { 33-55}
-__set%d test-arp 7
-__set%d test-arp 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-arp test-arp input
- [ payload load 1b @ network header + 5 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# arp plen != {33-55}
-__set%d test-arp 7
-__set%d test-arp 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-arp test-arp input
- [ payload load 1b @ network header + 5 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
__set%d test-arp 3
__set%d test-arp 0
diff --git a/tests/py/arp/arp.t.payload.netdev b/tests/py/arp/arp.t.payload.netdev
index ac985a9a..92df2400 100644
--- a/tests/py/arp/arp.t.payload.netdev
+++ b/tests/py/arp/arp.t.payload.netdev
@@ -61,26 +61,6 @@ netdev test-netdev ingress
[ payload load 2b @ network header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# arp htype { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000608 ]
- [ payload load 2b @ network header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# arp htype != { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000608 ]
- [ payload load 2b @ network header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# arp ptype 0x0800
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
@@ -137,26 +117,6 @@ netdev test-netdev ingress
[ payload load 1b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# arp hlen { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000608 ]
- [ payload load 1b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# arp hlen != { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000608 ]
- [ payload load 1b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# arp plen 22
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
@@ -206,26 +166,6 @@ netdev test-netdev ingress
[ payload load 1b @ network header + 5 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# arp plen { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000608 ]
- [ payload load 1b @ network header + 5 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# arp plen != {33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000608 ]
- [ payload load 1b @ network header + 5 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}
__set%d test-netdev 3
__set%d test-netdev 0
diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
index b242eef4..336b51bb 100644
--- a/tests/py/bridge/reject.t
+++ b/tests/py/bridge/reject.t
@@ -3,40 +3,40 @@
*bridge;test-bridge;input
# The output is specific for bridge family
-reject with icmp type host-unreachable;ok
-reject with icmp type net-unreachable;ok
-reject with icmp type prot-unreachable;ok
-reject with icmp type port-unreachable;ok
-reject with icmp type net-prohibited;ok
-reject with icmp type host-prohibited;ok
-reject with icmp type admin-prohibited;ok
-
-reject with icmpv6 type no-route;ok
-reject with icmpv6 type admin-prohibited;ok
-reject with icmpv6 type addr-unreachable;ok
-reject with icmpv6 type port-unreachable;ok
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
mark 12345 ip protocol tcp reject with tcp reset;ok;meta mark 0x00003039 ip protocol 6 reject with tcp reset
reject;ok
-ether type ip reject;ok;reject with icmp type port-unreachable
-ether type ip6 reject;ok;reject with icmpv6 type port-unreachable
+ether type ip reject;ok;reject with icmp port-unreachable
+ether type ip6 reject;ok;reject with icmpv6 port-unreachable
-reject with icmpx type host-unreachable;ok
-reject with icmpx type no-route;ok
-reject with icmpx type admin-prohibited;ok
-reject with icmpx type port-unreachable;ok;reject
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
-ether type ipv6 reject with icmp type host-unreachable;fail
-ether type ip6 reject with icmp type host-unreachable;fail
-ether type ip reject with icmpv6 type no-route;fail
+ether type ipv6 reject with icmp host-unreachable;fail
+ether type ip6 reject with icmp host-unreachable;fail
+ether type ip reject with icmpv6 no-route;fail
ether type vlan reject;ok;ether type 8021q reject
ether type arp reject;fail
ether type vlan reject with tcp reset;ok;meta l4proto 6 ether type 8021q reject with tcp reset
ether type arp reject with tcp reset;fail
ip protocol udp reject with tcp reset;fail
-ether type ip reject with icmpx type admin-prohibited;ok
-ether type ip6 reject with icmpx type admin-prohibited;ok
-ether type 8021q reject with icmpx type admin-prohibited;ok
-ether type arp reject with icmpx type admin-prohibited;fail
+ether type ip reject with icmpx admin-prohibited;ok
+ether type ip6 reject with icmpx admin-prohibited;ok
+ether type 8021q reject with icmpx admin-prohibited;ok
+ether type arp reject with icmpx admin-prohibited;fail
diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json
index fe21734d..9f9e6c1e 100644
--- a/tests/py/bridge/reject.t.json
+++ b/tests/py/bridge/reject.t.json
@@ -1,4 +1,4 @@
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
[
{
"reject": {
@@ -8,7 +8,7 @@
}
]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
[
{
"reject": {
@@ -18,7 +18,7 @@
}
]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
[
{
"reject": {
@@ -28,7 +28,7 @@
}
]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
[
{
"reject": {
@@ -38,7 +38,7 @@
}
]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
[
{
"reject": {
@@ -48,7 +48,7 @@
}
]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
[
{
"reject": {
@@ -58,7 +58,7 @@
}
]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
[
{
"reject": {
@@ -68,7 +68,7 @@
}
]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
[
{
"reject": {
@@ -78,7 +78,7 @@
}
]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
[
{
"reject": {
@@ -88,7 +88,7 @@
}
]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
[
{
"reject": {
@@ -98,7 +98,7 @@
}
]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
[
{
"reject": {
@@ -183,7 +183,7 @@
}
]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
[
{
"reject": {
@@ -193,7 +193,7 @@
}
]
-# reject with icmpx type no-route
+# reject with icmpx no-route
[
{
"reject": {
@@ -203,7 +203,7 @@
}
]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
[
{
"reject": {
@@ -213,7 +213,7 @@
}
]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
[
{
"reject": {
@@ -223,7 +223,7 @@
}
]
-# ether type ip reject with icmpx type admin-prohibited
+# ether type ip reject with icmpx admin-prohibited
[
{
"match": {
@@ -245,7 +245,7 @@
}
]
-# ether type ip6 reject with icmpx type admin-prohibited
+# ether type ip6 reject with icmpx admin-prohibited
[
{
"match": {
@@ -318,7 +318,7 @@
}
]
-# ether type 8021q reject with icmpx type admin-prohibited
+# ether type 8021q reject with icmpx admin-prohibited
[
{
"match": {
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
index 22569877..bad9adc0 100644
--- a/tests/py/bridge/reject.t.payload
+++ b/tests/py/bridge/reject.t.payload
@@ -1,64 +1,64 @@
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 1 ]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 0 ]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 2 ]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 3 ]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 9 ]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 10 ]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 13 ]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 0 ]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 1 ]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 3 ]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
bridge test-bridge input
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
@@ -90,29 +90,29 @@ bridge test-bridge input
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 4 ]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
bridge test-bridge input
[ reject type 2 code 2 ]
-# reject with icmpx type no-route
+# reject with icmpx no-route
bridge test-bridge input
[ reject type 2 code 0 ]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
bridge test-bridge input
[ reject type 2 code 3 ]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
bridge test-bridge input
[ reject type 2 code 1 ]
-# ether type ip reject with icmpx type admin-prohibited
+# ether type ip reject with icmpx admin-prohibited
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 2 code 3 ]
-# ether type ip6 reject with icmpx type admin-prohibited
+# ether type ip6 reject with icmpx admin-prohibited
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
@@ -132,7 +132,7 @@ bridge
[ cmp eq reg 1 0x00000081 ]
[ reject type 1 code 0 ]
-# ether type 8021q reject with icmpx type admin-prohibited
+# ether type 8021q reject with icmpx admin-prohibited
bridge
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t
index f67b8180..fd39d222 100644
--- a/tests/py/bridge/vlan.t
+++ b/tests/py/bridge/vlan.t
@@ -8,20 +8,21 @@ vlan id 4094;ok
vlan id 0;ok
# bad vlan id
vlan id 4096;fail
-vlan id 4094 vlan cfi 0;ok
-vlan id 4094 vlan cfi != 1;ok
-vlan id 4094 vlan cfi 1;ok
-# bad cfi
-vlan id 4094 vlan cfi 2;fail
-vlan id 4094 vlan cfi 1 vlan pcp 8;fail
-vlan id 4094 vlan cfi 1 vlan pcp 7;ok
-vlan id 4094 vlan cfi 1 vlan pcp 3;ok
+vlan id 4094 vlan dei 0;ok
+vlan id 4094 vlan dei 1;ok
+vlan id 4094 vlan dei != 1;ok
+vlan id 4094 vlan cfi 1;ok;vlan id 4094 vlan dei 1
+# bad dei
+vlan id 4094 vlan dei 2;fail
+vlan id 4094 vlan dei 1 vlan pcp 8;fail
+vlan id 4094 vlan dei 1 vlan pcp 7;ok
+vlan id 4094 vlan dei 1 vlan pcp 3;ok
ether type vlan vlan id 4094;ok;vlan id 4094
ether type vlan vlan id 0;ok;vlan id 0
-ether type vlan vlan id 4094 vlan cfi 0;ok;vlan id 4094 vlan cfi 0
-ether type vlan vlan id 4094 vlan cfi 1;ok;vlan id 4094 vlan cfi 1
-ether type vlan vlan id 4094 vlan cfi 2;fail
+ether type vlan vlan id 4094 vlan dei 0;ok;vlan id 4094 vlan dei 0
+ether type vlan vlan id 4094 vlan dei 1;ok;vlan id 4094 vlan dei 1
+ether type vlan vlan id 4094 vlan dei 2;fail
vlan id 4094 tcp dport 22;ok
vlan id 1 ip saddr 10.0.0.1;ok
diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json
index 2a4b64f2..dae70170 100644
--- a/tests/py/bridge/vlan.t.json
+++ b/tests/py/bridge/vlan.t.json
@@ -30,7 +30,7 @@
}
]
-# vlan id 4094 vlan cfi 0
+# vlan id 4094 vlan dei 0
[
{
"match": {
@@ -48,7 +48,7 @@
"match": {
"left": {
"payload": {
- "field": "cfi",
+ "field": "dei",
"protocol": "vlan"
}
},
@@ -58,7 +58,7 @@
}
]
-# vlan id 4094 vlan cfi != 1
+# vlan id 4094 vlan dei 1
[
{
"match": {
@@ -76,7 +76,35 @@
"match": {
"left": {
"payload": {
- "field": "cfi",
+ "field": "dei",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# vlan id 4094 vlan dei != 1
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "vlan"
+ }
+ },
+ "op": "==",
+ "right": 4094
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "dei",
"protocol": "vlan"
}
},
@@ -104,7 +132,7 @@
"match": {
"left": {
"payload": {
- "field": "cfi",
+ "field": "dei",
"protocol": "vlan"
}
},
@@ -114,7 +142,7 @@
}
]
-# vlan id 4094 vlan cfi 1 vlan pcp 7
+# vlan id 4094 vlan dei 1 vlan pcp 7
[
{
"match": {
@@ -132,7 +160,7 @@
"match": {
"left": {
"payload": {
- "field": "cfi",
+ "field": "dei",
"protocol": "vlan"
}
},
@@ -154,7 +182,7 @@
}
]
-# vlan id 4094 vlan cfi 1 vlan pcp 3
+# vlan id 4094 vlan dei 1 vlan pcp 3
[
{
"match": {
@@ -172,7 +200,7 @@
"match": {
"left": {
"payload": {
- "field": "cfi",
+ "field": "dei",
"protocol": "vlan"
}
},
@@ -226,7 +254,7 @@
}
]
-# ether type vlan vlan id 4094 vlan cfi 0
+# ether type vlan vlan id 4094 vlan dei 0
[
{
"match": {
@@ -244,7 +272,7 @@
"match": {
"left": {
"payload": {
- "field": "cfi",
+ "field": "dei",
"protocol": "vlan"
}
},
@@ -254,7 +282,7 @@
}
]
-# ether type vlan vlan id 4094 vlan cfi 1
+# ether type vlan vlan id 4094 vlan dei 1
[
{
"match": {
@@ -272,7 +300,7 @@
"match": {
"left": {
"payload": {
- "field": "cfi",
+ "field": "dei",
"protocol": "vlan"
}
},
diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload
index a78f2946..49fd0ea7 100644
--- a/tests/py/bridge/vlan.t.payload
+++ b/tests/py/bridge/vlan.t.payload
@@ -14,7 +14,18 @@ bridge test-bridge input
[ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
-# vlan id 4094 vlan cfi 0
+# vlan id 4094 vlan cfi 1
+bridge
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x0000fe0f ]
+ [ payload load 1b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000010 ]
+
+# vlan id 4094 vlan dei 0
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
@@ -25,7 +36,7 @@ bridge test-bridge input
[ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
-# vlan id 4094 vlan cfi != 1
+# vlan id 4094 vlan dei != 1
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
@@ -36,7 +47,7 @@ bridge test-bridge input
[ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
[ cmp neq reg 1 0x00000010 ]
-# vlan id 4094 vlan cfi 1
+# vlan id 4094 vlan dei 1
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
@@ -63,7 +74,7 @@ bridge test-bridge input
[ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
-# ether type vlan vlan id 4094 vlan cfi 0
+# ether type vlan vlan id 4094 vlan dei 0
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
@@ -74,7 +85,7 @@ bridge test-bridge input
[ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
-# ether type vlan vlan id 4094 vlan cfi 1
+# ether type vlan vlan id 4094 vlan dei 1
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
@@ -156,7 +167,7 @@ bridge test-bridge input
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00003500 ]
-# vlan id 4094 vlan cfi 1 vlan pcp 7
+# vlan id 4094 vlan dei 1 vlan pcp 7
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
@@ -170,7 +181,7 @@ bridge test-bridge input
[ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x000000e0 ]
-# vlan id 4094 vlan cfi 1 vlan pcp 3
+# vlan id 4094 vlan dei 1 vlan pcp 3
bridge test-bridge input
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0x00000081 ]
diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev
index 22e244e2..1a2c08ae 100644
--- a/tests/py/bridge/vlan.t.payload.netdev
+++ b/tests/py/bridge/vlan.t.payload.netdev
@@ -18,7 +18,7 @@ netdev test-netdev ingress
[ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
-# vlan id 4094 vlan cfi 0
+# vlan id 4094 vlan dei 0
netdev test-netdev ingress
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
@@ -31,7 +31,7 @@ netdev test-netdev ingress
[ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
-# vlan id 4094 vlan cfi != 1
+# vlan id 4094 vlan dei != 1
netdev test-netdev ingress
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
@@ -45,6 +45,19 @@ netdev test-netdev ingress
[ cmp neq reg 1 0x00000010 ]
# vlan id 4094 vlan cfi 1
+netdev
+ [ meta load iiftype => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ payload load 2b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x0000fe0f ]
+ [ payload load 1b @ link header + 14 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000010 ]
+
+# vlan id 4094 vlan dei 1
netdev test-netdev ingress
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
@@ -77,7 +90,7 @@ netdev test-netdev ingress
[ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
-# ether type vlan vlan id 4094 vlan cfi 0
+# ether type vlan vlan id 4094 vlan dei 0
netdev test-netdev ingress
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
@@ -90,7 +103,7 @@ netdev test-netdev ingress
[ bitwise reg 1 = ( reg 1 & 0x00000010 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x00000000 ]
-# ether type vlan vlan id 4094 vlan cfi 1
+# ether type vlan vlan id 4094 vlan dei 1
netdev test-netdev ingress
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
@@ -184,7 +197,7 @@ netdev test-netdev ingress
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x00003500 ]
-# vlan id 4094 vlan cfi 1 vlan pcp 7
+# vlan id 4094 vlan dei 1 vlan pcp 7
netdev test-netdev ingress
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
@@ -200,7 +213,7 @@ netdev test-netdev ingress
[ bitwise reg 1 = ( reg 1 & 0x000000e0 ) ^ 0x00000000 ]
[ cmp eq reg 1 0x000000e0 ]
-# vlan id 4094 vlan cfi 1 vlan pcp 3
+# vlan id 4094 vlan dei 1 vlan pcp 3
netdev test-netdev ingress
[ meta load iiftype => reg 1 ]
[ cmp eq reg 1 0x00000001 ]
diff --git a/tests/py/inet/ah.t b/tests/py/inet/ah.t
index 945db996..78c454f7 100644
--- a/tests/py/inet/ah.t
+++ b/tests/py/inet/ah.t
@@ -20,8 +20,6 @@
ah hdrlength 11-23;ok
ah hdrlength != 11-23;ok
-ah hdrlength { 11-23};ok
-ah hdrlength != { 11-23};ok
ah hdrlength {11, 23, 44 };ok
ah hdrlength != {11, 23, 44 };ok
@@ -31,8 +29,6 @@ ah reserved 33-45;ok
ah reserved != 33-45;ok
ah reserved {23, 100};ok
ah reserved != {23, 100};ok
-ah reserved { 33-55};ok
-ah reserved != { 33-55};ok
ah spi 111;ok
ah spi != 111;ok
@@ -40,15 +36,11 @@ ah spi 111-222;ok
ah spi != 111-222;ok
ah spi {111, 122};ok
ah spi != {111, 122};ok
-ah spi { 111-122};ok
-ah spi != { 111-122};ok
# sequence
ah sequence 123;ok
ah sequence != 123;ok
ah sequence {23, 25, 33};ok
ah sequence != {23, 25, 33};ok
-ah sequence { 23-33};ok
-ah sequence != { 23-33};ok
ah sequence 23-33;ok
ah sequence != 23-33;ok
diff --git a/tests/py/inet/ah.t.json b/tests/py/inet/ah.t.json
index 4efdb0dd..217280b6 100644
--- a/tests/py/inet/ah.t.json
+++ b/tests/py/inet/ah.t.json
@@ -34,46 +34,6 @@
}
]
-# ah hdrlength { 11-23}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "hdrlength",
- "protocol": "ah"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 11, 23 ] }
- ]
- }
- }
- }
-]
-
-# ah hdrlength != { 11-23}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "hdrlength",
- "protocol": "ah"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 11, 23 ] }
- ]
- }
- }
- }
-]
-
# ah hdrlength {11, 23, 44 }
[
{
@@ -228,46 +188,6 @@
}
]
-# ah reserved { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "reserved",
- "protocol": "ah"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# ah reserved != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "reserved",
- "protocol": "ah"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# ah spi 111
[
{
@@ -378,46 +298,6 @@
}
]
-# ah spi { 111-122}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "spi",
- "protocol": "ah"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 111, 122 ] }
- ]
- }
- }
- }
-]
-
-# ah spi != { 111-122}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "spi",
- "protocol": "ah"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 111, 122 ] }
- ]
- }
- }
- }
-]
-
# ah sequence 123
[
{
@@ -494,46 +374,6 @@
}
]
-# ah sequence { 23-33}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "ah"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 23, 33 ] }
- ]
- }
- }
- }
-]
-
-# ah sequence != { 23-33}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "ah"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 23, 33 ] }
- ]
- }
- }
- }
-]
-
# ah sequence 23-33
[
{
diff --git a/tests/py/inet/ah.t.payload b/tests/py/inet/ah.t.payload
index 5ec5fba1..7ddd72d5 100644
--- a/tests/py/inet/ah.t.payload
+++ b/tests/py/inet/ah.t.payload
@@ -13,26 +13,6 @@ inet test-inet input
[ payload load 1b @ transport header + 1 => reg 1 ]
[ range neq reg 1 0x0000000b 0x00000017 ]
-# ah hdrlength { 11-23}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000033 ]
- [ payload load 1b @ transport header + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ah hdrlength != { 11-23}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 0000000b : 0 [end] element 00000018 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000033 ]
- [ payload load 1b @ transport header + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ah hdrlength {11, 23, 44 }
__set%d test-inet 3
__set%d test-inet 0
@@ -102,26 +82,6 @@ inet test-inet input
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ah reserved { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000033 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ah reserved != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000033 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ah spi 111
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -171,26 +131,6 @@ inet test-inet input
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ah spi { 111-122}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000033 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ah spi != { 111-122}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 6f000000 : 0 [end] element 7b000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000033 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ah sequence 123
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -225,26 +165,6 @@ inet test-inet input
[ payload load 4b @ transport header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ah sequence { 23-33}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000033 ]
- [ payload load 4b @ transport header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ah sequence != { 23-33}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 17000000 : 0 [end] element 22000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000033 ]
- [ payload load 4b @ transport header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ah sequence 23-33
inet test-inet input
[ meta load l4proto => reg 1 ]
diff --git a/tests/py/inet/comp.t b/tests/py/inet/comp.t
index 0df18139..ec9924ff 100644
--- a/tests/py/inet/comp.t
+++ b/tests/py/inet/comp.t
@@ -20,8 +20,6 @@ comp flags 0x33-0x45;ok
comp flags != 0x33-0x45;ok
comp flags {0x33, 0x55, 0x67, 0x88};ok
comp flags != {0x33, 0x55, 0x67, 0x88};ok
-comp flags { 0x33-0x55};ok
-comp flags != { 0x33-0x55};ok
comp cpi 22;ok
comp cpi != 233;ok
@@ -29,5 +27,3 @@ comp cpi 33-45;ok
comp cpi != 33-45;ok
comp cpi {33, 55, 67, 88};ok
comp cpi != {33, 55, 67, 88};ok
-comp cpi { 33-55};ok
-comp cpi != { 33-55};ok
diff --git a/tests/py/inet/comp.t.json b/tests/py/inet/comp.t.json
index b9b24f98..c9f6fcac 100644
--- a/tests/py/inet/comp.t.json
+++ b/tests/py/inet/comp.t.json
@@ -128,46 +128,6 @@
}
]
-# comp flags { 0x33-0x55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "flags",
- "protocol": "comp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ "0x33", "0x55" ] }
- ]
- }
- }
- }
-]
-
-# comp flags != { 0x33-0x55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "flags",
- "protocol": "comp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ "0x33", "0x55" ] }
- ]
- }
- }
- }
-]
-
# comp cpi 22
[
{
@@ -282,43 +242,3 @@
}
]
-# comp cpi { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "cpi",
- "protocol": "comp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# comp cpi != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "cpi",
- "protocol": "comp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
diff --git a/tests/py/inet/comp.t.payload b/tests/py/inet/comp.t.payload
index dec38aea..024e47cd 100644
--- a/tests/py/inet/comp.t.payload
+++ b/tests/py/inet/comp.t.payload
@@ -54,26 +54,6 @@ inet test-inet input
[ payload load 1b @ transport header + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# comp flags { 0x33-0x55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000006c ]
- [ payload load 1b @ transport header + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# comp flags != { 0x33-0x55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000033 : 0 [end] element 00000056 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000006c ]
- [ payload load 1b @ transport header + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# comp cpi 22
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -123,23 +103,3 @@ inet test-inet input
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# comp cpi { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000006c ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# comp cpi != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000006c ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t
index 3d0dffad..5312b328 100644
--- a/tests/py/inet/ct.t
+++ b/tests/py/inet/ct.t
@@ -6,7 +6,7 @@
meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4
ct original ip6 saddr ::1;ok
-ct original ip daddr {1.2.3.4} accept;ok
+ct original ip daddr 1.2.3.4 accept;ok
# missing protocol context
ct original saddr ::1;fail
diff --git a/tests/py/inet/ct.t.json b/tests/py/inet/ct.t.json
index e7f928ca..223ac9e7 100644
--- a/tests/py/inet/ct.t.json
+++ b/tests/py/inet/ct.t.json
@@ -39,7 +39,7 @@
}
]
-# ct original ip daddr {1.2.3.4} accept
+# ct original ip daddr 1.2.3.4 accept
[
{
"match": {
@@ -50,11 +50,7 @@
}
},
"op": "==",
- "right": {
- "set": [
- "1.2.3.4"
- ]
- }
+ "right": "1.2.3.4"
}
},
{
diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload
index 3b274f8c..f7a2ef27 100644
--- a/tests/py/inet/ct.t.payload
+++ b/tests/py/inet/ct.t.payload
@@ -10,11 +10,8 @@ inet test-inet input
[ ct load src_ip6 => reg 1 , dir original ]
[ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
-# ct original ip daddr {1.2.3.4} accept
-__set%d test-inet 3 size 1
-__set%d test-inet 0
- element 04030201 : 0 [end]
+# ct original ip daddr 1.2.3.4 accept
inet test-inet input
[ ct load dst_ip => reg 1 , dir original ]
- [ lookup reg 1 set __set%d ]
+ [ cmp eq reg 1 0x04030201 ]
[ immediate reg 0 accept ]
diff --git a/tests/py/inet/dccp.t b/tests/py/inet/dccp.t
index 9a81bb2e..2216fa2a 100644
--- a/tests/py/inet/dccp.t
+++ b/tests/py/inet/dccp.t
@@ -11,17 +11,12 @@ dccp sport != 21-35;ok
dccp sport {23, 24, 25};ok
dccp sport != {23, 24, 25};ok
-dccp sport { 20-50 };ok
dccp sport 20-50;ok
-dccp sport { 20-50};ok
-dccp sport != { 20-50};ok
# dccp dport 21-35;ok
# dccp dport != 21-35;ok
dccp dport {23, 24, 25};ok
dccp dport != {23, 24, 25};ok
-dccp dport { 20-50};ok
-dccp dport != { 20-50};ok
dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack};ok
diff --git a/tests/py/inet/dccp.t.json b/tests/py/inet/dccp.t.json
index 97e33c14..806ef5ee 100644
--- a/tests/py/inet/dccp.t.json
+++ b/tests/py/inet/dccp.t.json
@@ -78,26 +78,6 @@
}
]
-# dccp sport { 20-50 }
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "dccp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 20, 50 ] }
- ]
- }
- }
- }
-]
-
# dccp sport 20-50
[
{
@@ -116,46 +96,6 @@
}
]
-# dccp sport { 20-50}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "dccp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 20, 50 ] }
- ]
- }
- }
- }
-]
-
-# dccp sport != { 20-50}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "dccp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 20, 50 ] }
- ]
- }
- }
- }
-]
-
# dccp dport {23, 24, 25}
[
{
@@ -200,46 +140,6 @@
}
]
-# dccp dport { 20-50}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "dccp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 20, 50 ] }
- ]
- }
- }
- }
-]
-
-# dccp dport != { 20-50}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "dccp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 20, 50 ] }
- ]
- }
- }
- }
-]
-
# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
[
{
diff --git a/tests/py/inet/dccp.t.payload b/tests/py/inet/dccp.t.payload
index b252d829..fbe9dc5b 100644
--- a/tests/py/inet/dccp.t.payload
+++ b/tests/py/inet/dccp.t.payload
@@ -33,16 +33,6 @@ inet test-inet input
[ payload load 2b @ transport header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# dccp sport { 20-50 }
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000021 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
# dccp sport 20-50
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -51,26 +41,6 @@ inet test-inet input
[ cmp gte reg 1 0x00001400 ]
[ cmp lte reg 1 0x00003200 ]
-# dccp sport { 20-50}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000021 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# dccp sport != { 20-50}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000021 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# dccp dport {23, 24, 25}
__set%d test-ip4 3
__set%d test-ip4 0
@@ -91,26 +61,6 @@ inet test-inet input
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# dccp dport { 20-50}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000021 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# dccp dport != { 20-50}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00001400 : 0 [end] element 00003300 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000021 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}
__set%d test-inet 3
__set%d test-inet 0
diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t
index b460af39..e4e169f2 100644
--- a/tests/py/inet/dnat.t
+++ b/tests/py/inet/dnat.t
@@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok
iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok
iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok
+meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80
dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok
dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json
index 1b8aba62..c341a045 100644
--- a/tests/py/inet/dnat.t.json
+++ b/tests/py/inet/dnat.t.json
@@ -219,3 +219,23 @@
}
]
+# meta l4proto tcp dnat to :80
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "dnat": {
+ "port": 80
+ }
+ }
+]
+
diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload
index ca3ff631..ce1601ab 100644
--- a/tests/py/inet/dnat.t.payload
+++ b/tests/py/inet/dnat.t.payload
@@ -77,3 +77,10 @@ inet
[ immediate reg 2 0x00005000 ]
[ nat dnat ip addr_min reg 1 proto_min reg 2 flags 0x2 ]
+# meta l4proto tcp dnat to :80
+inet
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x00005000 ]
+ [ nat dnat inet proto_min reg 1 flags 0x2 ]
+
diff --git a/tests/py/inet/esp.t b/tests/py/inet/esp.t
index ebba7d87..58e9f884 100644
--- a/tests/py/inet/esp.t
+++ b/tests/py/inet/esp.t
@@ -12,14 +12,9 @@ esp spi 111-222;ok
esp spi != 111-222;ok
esp spi { 100, 102};ok
esp spi != { 100, 102};ok
-esp spi { 100-102};ok
-esp spi != { 100-102};ok
-- esp spi {100-102};ok
esp sequence 22;ok
esp sequence 22-24;ok
esp sequence != 22-24;ok
esp sequence { 22, 24};ok
esp sequence != { 22, 24};ok
-esp sequence { 22-25};ok
-esp sequence != { 22-25};ok
diff --git a/tests/py/inet/esp.t.json b/tests/py/inet/esp.t.json
index ee690f96..a9dedd6f 100644
--- a/tests/py/inet/esp.t.json
+++ b/tests/py/inet/esp.t.json
@@ -108,46 +108,6 @@
}
]
-# esp spi { 100-102}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "spi",
- "protocol": "esp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 100, 102 ] }
- ]
- }
- }
- }
-]
-
-# esp spi != { 100-102}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "spi",
- "protocol": "esp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 100, 102 ] }
- ]
- }
- }
- }
-]
-
# esp sequence 22
[
{
@@ -242,43 +202,3 @@
}
]
-# esp sequence { 22-25}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "esp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 22, 25 ] }
- ]
- }
- }
- }
-]
-
-# esp sequence != { 22-25}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "esp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 22, 25 ] }
- ]
- }
- }
- }
-]
-
diff --git a/tests/py/inet/esp.t.payload b/tests/py/inet/esp.t.payload
index ad68530b..0353b056 100644
--- a/tests/py/inet/esp.t.payload
+++ b/tests/py/inet/esp.t.payload
@@ -47,26 +47,6 @@ inet test-inet input
[ payload load 4b @ transport header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# esp spi { 100-102}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000032 ]
- [ payload load 4b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# esp spi != { 100-102}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 64000000 : 0 [end] element 67000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000032 ]
- [ payload load 4b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# esp sequence 22
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -109,23 +89,3 @@ inet test-inet input
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# esp sequence { 22-25}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000032 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# esp sequence != { 22-25}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 16000000 : 0 [end] element 1a000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000032 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
diff --git a/tests/py/inet/ip.t b/tests/py/inet/ip.t
index 86604a63..ac5b825e 100644
--- a/tests/py/inet/ip.t
+++ b/tests/py/inet/ip.t
@@ -8,4 +8,4 @@
ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe };ok
ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop };fail
-ip saddr vmap { 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail
+ip saddr vmap { 3.3.3.3-3.3.3.4 : accept, 1.1.1.1-1.1.1.255 : accept, 1.1.1.0-1.1.2.1 : drop};fail
diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t
index a9ecd2ea..1c8aeebe 100644
--- a/tests/py/inet/reject.t
+++ b/tests/py/inet/reject.t
@@ -2,37 +2,38 @@
*inet;test-inet;input
-reject with icmp type host-unreachable;ok
-reject with icmp type net-unreachable;ok
-reject with icmp type prot-unreachable;ok
-reject with icmp type port-unreachable;ok
-reject with icmp type net-prohibited;ok
-reject with icmp type host-prohibited;ok
-reject with icmp type admin-prohibited;ok
-
-reject with icmpv6 type no-route;ok
-reject with icmpv6 type admin-prohibited;ok
-reject with icmpv6 type addr-unreachable;ok
-reject with icmpv6 type port-unreachable;ok
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset
reject;ok
-meta nfproto ipv4 reject;ok;reject with icmp type port-unreachable
-meta nfproto ipv6 reject;ok;reject with icmpv6 type port-unreachable
+meta nfproto ipv4 reject;ok;reject with icmp port-unreachable
+meta nfproto ipv6 reject;ok;reject with icmpv6 port-unreachable
-reject with icmpx type host-unreachable;ok
-reject with icmpx type no-route;ok
-reject with icmpx type admin-prohibited;ok
-reject with icmpx type port-unreachable;ok;reject
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
+reject with icmpx 3;ok;reject with icmpx admin-prohibited
-meta nfproto ipv4 reject with icmp type host-unreachable;ok;reject with icmp type host-unreachable
-meta nfproto ipv6 reject with icmpv6 type no-route;ok;reject with icmpv6 type no-route
+meta nfproto ipv4 reject with icmp host-unreachable;ok;reject with icmp host-unreachable
+meta nfproto ipv6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route
-meta nfproto ipv6 reject with icmp type host-unreachable;fail
-meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail
-meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail
+meta nfproto ipv6 reject with icmp host-unreachable;fail
+meta nfproto ipv4 ip protocol icmp reject with icmpv6 no-route;fail
+meta nfproto ipv6 ip protocol icmp reject with icmp host-unreachable;fail
meta l4proto udp reject with tcp reset;fail
-meta nfproto ipv4 reject with icmpx type admin-prohibited;ok
-meta nfproto ipv6 reject with icmpx type admin-prohibited;ok
+meta nfproto ipv4 reject with icmpx admin-prohibited;ok
+meta nfproto ipv6 reject with icmpx admin-prohibited;ok
diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json
index bfa94f84..76cd1bf5 100644
--- a/tests/py/inet/reject.t.json
+++ b/tests/py/inet/reject.t.json
@@ -1,4 +1,4 @@
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
[
{
"reject": {
@@ -8,7 +8,7 @@
}
]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
[
{
"reject": {
@@ -18,7 +18,7 @@
}
]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
[
{
"reject": {
@@ -28,7 +28,7 @@
}
]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
[
{
"reject": {
@@ -38,7 +38,7 @@
}
]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
[
{
"reject": {
@@ -48,7 +48,7 @@
}
]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
[
{
"reject": {
@@ -58,7 +58,7 @@
}
]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
[
{
"reject": {
@@ -68,7 +68,7 @@
}
]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
[
{
"reject": {
@@ -78,7 +78,7 @@
}
]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
[
{
"reject": {
@@ -88,7 +88,7 @@
}
]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
[
{
"reject": {
@@ -98,7 +98,7 @@
}
]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
[
{
"reject": {
@@ -165,7 +165,7 @@
}
]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
[
{
"reject": {
@@ -175,7 +175,7 @@
}
]
-# reject with icmpx type no-route
+# reject with icmpx no-route
[
{
"reject": {
@@ -185,7 +185,7 @@
}
]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
[
{
"reject": {
@@ -195,7 +195,7 @@
}
]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
[
{
"reject": {
@@ -205,7 +205,17 @@
}
]
-# meta nfproto ipv4 reject with icmp type host-unreachable
+# reject with icmpx 3
+[
+ {
+ "reject": {
+ "expr": "admin-prohibited",
+ "type": "icmpx"
+ }
+ }
+]
+
+# meta nfproto ipv4 reject with icmp host-unreachable
[
{
"match": {
@@ -224,7 +234,7 @@
}
]
-# meta nfproto ipv6 reject with icmpv6 type no-route
+# meta nfproto ipv6 reject with icmpv6 no-route
[
{
"match": {
@@ -243,7 +253,7 @@
}
]
-# meta nfproto ipv4 reject with icmpx type admin-prohibited
+# meta nfproto ipv4 reject with icmpx admin-prohibited
[
{
"match": {
@@ -264,7 +274,7 @@
}
]
-# meta nfproto ipv6 reject with icmpx type admin-prohibited
+# meta nfproto ipv6 reject with icmpx admin-prohibited
[
{
"match": {
diff --git a/tests/py/inet/reject.t.json.output b/tests/py/inet/reject.t.json.output
index 043617a7..496ce557 100644
--- a/tests/py/inet/reject.t.json.output
+++ b/tests/py/inet/reject.t.json.output
@@ -55,7 +55,7 @@
}
]
-# meta nfproto ipv4 reject with icmp type host-unreachable
+# meta nfproto ipv4 reject with icmp host-unreachable
[
{
"reject": {
@@ -65,7 +65,7 @@
}
]
-# meta nfproto ipv6 reject with icmpv6 type no-route
+# meta nfproto ipv6 reject with icmpv6 no-route
[
{
"reject": {
diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet
index 3f220282..62078d91 100644
--- a/tests/py/inet/reject.t.payload.inet
+++ b/tests/py/inet/reject.t.payload.inet
@@ -1,64 +1,64 @@
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 1 ]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 0 ]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 2 ]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 3 ]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 9 ]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 10 ]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 13 ]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 0 ]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 1 ]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 3 ]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
@@ -88,41 +88,45 @@ inet test-inet input
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 4 ]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
inet test-inet input
[ reject type 2 code 2 ]
-# reject with icmpx type no-route
+# reject with icmpx no-route
inet test-inet input
[ reject type 2 code 0 ]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
inet test-inet input
[ reject type 2 code 3 ]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
inet test-inet input
[ reject type 2 code 1 ]
-# meta nfproto ipv4 reject with icmp type host-unreachable
+# reject with icmpx 3
+inet test-inet input
+ [ reject type 2 code 3 ]
+
+# meta nfproto ipv4 reject with icmp host-unreachable
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 0 code 1 ]
-# meta nfproto ipv6 reject with icmpv6 type no-route
+# meta nfproto ipv6 reject with icmpv6 no-route
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
[ reject type 0 code 0 ]
-# meta nfproto ipv4 reject with icmpx type admin-prohibited
+# meta nfproto ipv4 reject with icmpx admin-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
[ reject type 2 code 3 ]
-# meta nfproto ipv6 reject with icmpx type admin-prohibited
+# meta nfproto ipv6 reject with icmpx admin-prohibited
inet test-inet input
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x0000000a ]
diff --git a/tests/py/inet/sctp.t b/tests/py/inet/sctp.t
index 5188b57e..57b9e67b 100644
--- a/tests/py/inet/sctp.t
+++ b/tests/py/inet/sctp.t
@@ -12,8 +12,6 @@ sctp sport 23-44;ok
sctp sport != 23-44;ok
sctp sport { 23, 24, 25};ok
sctp sport != { 23, 24, 25};ok
-sctp sport { 23-44};ok
-sctp sport != { 23-44};ok
sctp dport 23;ok
sctp dport != 23;ok
@@ -21,8 +19,6 @@ sctp dport 23-44;ok
sctp dport != 23-44;ok
sctp dport { 23, 24, 25};ok
sctp dport != { 23, 24, 25};ok
-sctp dport { 23-44};ok
-sctp dport != { 23-44};ok
sctp checksum 1111;ok
sctp checksum != 11;ok
@@ -30,8 +26,6 @@ sctp checksum 21-333;ok
sctp checksum != 32-111;ok
sctp checksum { 22, 33, 44};ok
sctp checksum != { 22, 33, 44};ok
-sctp checksum { 22-44};ok
-sctp checksum != { 22-44};ok
sctp vtag 22;ok
sctp vtag != 233;ok
@@ -39,5 +33,40 @@ sctp vtag 33-45;ok
sctp vtag != 33-45;ok
sctp vtag {33, 55, 67, 88};ok
sctp vtag != {33, 55, 67, 88};ok
-sctp vtag { 33-55};ok
-sctp vtag != { 33-55};ok
+
+# assert all chunk types are recognized
+sctp chunk data exists;ok
+sctp chunk init exists;ok
+sctp chunk init-ack exists;ok
+sctp chunk sack exists;ok
+sctp chunk heartbeat exists;ok
+sctp chunk heartbeat-ack exists;ok
+sctp chunk abort exists;ok
+sctp chunk shutdown exists;ok
+sctp chunk shutdown-ack exists;ok
+sctp chunk error exists;ok
+sctp chunk cookie-echo exists;ok
+sctp chunk cookie-ack exists;ok
+sctp chunk ecne exists;ok
+sctp chunk cwr exists;ok
+sctp chunk shutdown-complete exists;ok
+sctp chunk asconf-ack exists;ok
+sctp chunk forward-tsn exists;ok
+sctp chunk asconf exists;ok
+
+# test common header fields in random chunk types
+sctp chunk data type 0;ok
+sctp chunk init flags 23;ok
+sctp chunk init-ack length 42;ok
+
+# test one custom field in every applicable chunk type
+sctp chunk data stream 1337;ok
+sctp chunk init initial-tsn 5;ok
+sctp chunk init-ack num-outbound-streams 3;ok
+sctp chunk sack a-rwnd 1;ok
+sctp chunk shutdown cum-tsn-ack 65535;ok
+sctp chunk ecne lowest-tsn 5;ok
+sctp chunk cwr lowest-tsn 8;ok
+sctp chunk asconf-ack seqno 12345;ok
+sctp chunk forward-tsn new-cum-tsn 31337;ok
+sctp chunk asconf seqno 12345;ok
diff --git a/tests/py/inet/sctp.t.json b/tests/py/inet/sctp.t.json
index 2684b034..75a9b01c 100644
--- a/tests/py/inet/sctp.t.json
+++ b/tests/py/inet/sctp.t.json
@@ -110,46 +110,6 @@
}
]
-# sctp sport { 23-44}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "sctp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 23, 44 ] }
- ]
- }
- }
- }
-]
-
-# sctp sport != { 23-44}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "sctp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 23, 44 ] }
- ]
- }
- }
- }
-]
-
# sctp dport 23
[
{
@@ -262,46 +222,6 @@
}
]
-# sctp dport { 23-44}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "sctp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 23, 44 ] }
- ]
- }
- }
- }
-]
-
-# sctp dport != { 23-44}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "sctp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 23, 44 ] }
- ]
- }
- }
- }
-]
-
# sctp checksum 1111
[
{
@@ -414,46 +334,6 @@
}
]
-# sctp checksum { 22-44}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "sctp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 22, 44 ] }
- ]
- }
- }
- }
-]
-
-# sctp checksum != { 22-44}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "sctp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 22, 44 ] }
- ]
- }
- }
- }
-]
-
# sctp vtag 22
[
{
@@ -568,42 +448,480 @@
}
]
-# sctp vtag { 33-55}
+# sctp chunk data exists
[
{
"match": {
"left": {
- "payload": {
- "field": "vtag",
- "protocol": "sctp"
+ "sctp chunk": {
+ "name": "data"
}
},
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
+ "op": "==",
+ "right": true
}
}
]
-# sctp vtag != { 33-55}
+# sctp chunk init exists
[
{
"match": {
"left": {
- "payload": {
- "field": "vtag",
- "protocol": "sctp"
+ "sctp chunk": {
+ "name": "init"
}
},
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk init-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "init-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk sack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "sack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk heartbeat exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "heartbeat"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk heartbeat-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "heartbeat-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk abort exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "abort"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk shutdown exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "shutdown"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk shutdown-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "shutdown-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk error exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "error"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk cookie-echo exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "cookie-echo"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk cookie-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "cookie-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk ecne exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "ecne"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk cwr exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "cwr"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk shutdown-complete exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "shutdown-complete"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk asconf-ack exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "asconf-ack"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk forward-tsn exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "forward-tsn"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk asconf exists
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "name": "asconf"
+ }
+ },
+ "op": "==",
+ "right": true
+ }
+ }
+]
+
+# sctp chunk data type 0
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "type",
+ "name": "data"
+ }
+ },
+ "op": "==",
+ "right": 0
+ }
+ }
+]
+
+# sctp chunk init flags 23
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "flags",
+ "name": "init"
+ }
+ },
+ "op": "==",
+ "right": 23
+ }
+ }
+]
+
+# sctp chunk init-ack length 42
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "length",
+ "name": "init-ack"
+ }
+ },
+ "op": "==",
+ "right": 42
+ }
+ }
+]
+
+# sctp chunk data stream 1337
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "stream",
+ "name": "data"
+ }
+ },
+ "op": "==",
+ "right": 1337
+ }
+ }
+]
+
+# sctp chunk init initial-tsn 5
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "initial-tsn",
+ "name": "init"
+ }
+ },
+ "op": "==",
+ "right": 5
+ }
+ }
+]
+
+# sctp chunk init-ack num-outbound-streams 3
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "num-outbound-streams",
+ "name": "init-ack"
+ }
+ },
+ "op": "==",
+ "right": 3
+ }
+ }
+]
+
+# sctp chunk sack a-rwnd 1
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "a-rwnd",
+ "name": "sack"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
+ }
+]
+
+# sctp chunk shutdown cum-tsn-ack 65535
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "cum-tsn-ack",
+ "name": "shutdown"
+ }
+ },
+ "op": "==",
+ "right": 65535
+ }
+ }
+]
+
+# sctp chunk ecne lowest-tsn 5
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "lowest-tsn",
+ "name": "ecne"
+ }
+ },
+ "op": "==",
+ "right": 5
+ }
+ }
+]
+
+# sctp chunk cwr lowest-tsn 8
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "lowest-tsn",
+ "name": "cwr"
+ }
+ },
+ "op": "==",
+ "right": 8
+ }
+ }
+]
+
+# sctp chunk asconf-ack seqno 12345
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "seqno",
+ "name": "asconf-ack"
+ }
+ },
+ "op": "==",
+ "right": 12345
+ }
+ }
+]
+
+# sctp chunk forward-tsn new-cum-tsn 31337
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "new-cum-tsn",
+ "name": "forward-tsn"
+ }
+ },
+ "op": "==",
+ "right": 31337
+ }
+ }
+]
+
+# sctp chunk asconf seqno 12345
+[
+ {
+ "match": {
+ "left": {
+ "sctp chunk": {
+ "field": "seqno",
+ "name": "asconf"
+ }
+ },
+ "op": "==",
+ "right": 12345
}
}
]
diff --git a/tests/py/inet/sctp.t.payload b/tests/py/inet/sctp.t.payload
index ecfcc725..7337e2ea 100644
--- a/tests/py/inet/sctp.t.payload
+++ b/tests/py/inet/sctp.t.payload
@@ -47,26 +47,6 @@ inet test-inet input
[ payload load 2b @ transport header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# sctp sport { 23-44}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000084 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# sctp sport != { 23-44}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000084 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# sctp dport 23
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -116,26 +96,6 @@ inet test-inet input
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# sctp dport { 23-44}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000084 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# sctp dport != { 23-44}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00001700 : 0 [end] element 00002d00 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000084 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# sctp checksum 1111
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -185,26 +145,6 @@ inet test-inet input
[ payload load 4b @ transport header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# sctp checksum { 22-44}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000084 ]
- [ payload load 4b @ transport header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# sctp checksum != { 22-44}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 16000000 : 0 [end] element 2d000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000084 ]
- [ payload load 4b @ transport header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# sctp vtag 22
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -254,23 +194,158 @@ inet test-inet input
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# sctp vtag { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000084 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# sctp vtag != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000084 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
+# sctp chunk data exists
+ip
+ [ exthdr load 1b @ 0 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk init exists
+ip
+ [ exthdr load 1b @ 1 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk init-ack exists
+ip
+ [ exthdr load 1b @ 2 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk sack exists
+ip
+ [ exthdr load 1b @ 3 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk heartbeat exists
+ip
+ [ exthdr load 1b @ 4 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk heartbeat-ack exists
+ip
+ [ exthdr load 1b @ 5 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk abort exists
+ip
+ [ exthdr load 1b @ 6 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk shutdown exists
+ip
+ [ exthdr load 1b @ 7 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk shutdown-ack exists
+ip
+ [ exthdr load 1b @ 8 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk error exists
+ip
+ [ exthdr load 1b @ 9 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk cookie-echo exists
+ip
+ [ exthdr load 1b @ 10 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk cookie-ack exists
+ip
+ [ exthdr load 1b @ 11 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk ecne exists
+ip
+ [ exthdr load 1b @ 12 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk cwr exists
+ip
+ [ exthdr load 1b @ 13 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk shutdown-complete exists
+ip
+ [ exthdr load 1b @ 14 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk asconf-ack exists
+ip
+ [ exthdr load 1b @ 128 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk forward-tsn exists
+ip
+ [ exthdr load 1b @ 192 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk asconf exists
+ip
+ [ exthdr load 1b @ 193 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# sctp chunk data type 0
+ip
+ [ exthdr load 1b @ 0 + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+
+# sctp chunk init flags 23
+ip
+ [ exthdr load 1b @ 1 + 1 => reg 1 ]
+ [ cmp eq reg 1 0x00000017 ]
+
+# sctp chunk init-ack length 42
+ip
+ [ exthdr load 2b @ 2 + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00002a00 ]
+
+# sctp chunk data stream 1337
+ip
+ [ exthdr load 2b @ 0 + 8 => reg 1 ]
+ [ cmp eq reg 1 0x00003905 ]
+
+# sctp chunk init initial-tsn 5
+ip
+ [ exthdr load 4b @ 1 + 16 => reg 1 ]
+ [ cmp eq reg 1 0x05000000 ]
+
+# sctp chunk init-ack num-outbound-streams 3
+ip
+ [ exthdr load 2b @ 2 + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000300 ]
+
+# sctp chunk sack a-rwnd 1
+ip
+ [ exthdr load 4b @ 3 + 8 => reg 1 ]
+ [ cmp eq reg 1 0x01000000 ]
+
+# sctp chunk shutdown cum-tsn-ack 65535
+ip
+ [ exthdr load 4b @ 7 + 4 => reg 1 ]
+ [ cmp eq reg 1 0xffff0000 ]
+
+# sctp chunk ecne lowest-tsn 5
+ip
+ [ exthdr load 4b @ 12 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x05000000 ]
+
+# sctp chunk cwr lowest-tsn 8
+ip
+ [ exthdr load 4b @ 13 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x08000000 ]
+
+# sctp chunk asconf-ack seqno 12345
+ip
+ [ exthdr load 4b @ 128 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x39300000 ]
+
+# sctp chunk forward-tsn new-cum-tsn 31337
+ip
+ [ exthdr load 4b @ 192 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x697a0000 ]
+
+# sctp chunk asconf seqno 12345
+ip
+ [ exthdr load 4b @ 193 + 4 => reg 1 ]
+ [ cmp eq reg 1 0x39300000 ]
diff --git a/tests/py/inet/tcp.t b/tests/py/inet/tcp.t
index 5f2caea9..532da277 100644
--- a/tests/py/inet/tcp.t
+++ b/tests/py/inet/tcp.t
@@ -14,8 +14,6 @@ tcp dport 33-45;ok
tcp dport != 33-45;ok
tcp dport { 33, 55, 67, 88};ok
tcp dport != { 33, 55, 67, 88};ok
-tcp dport { 33-55};ok
-tcp dport != { 33-55};ok
tcp dport {telnet, http, https} accept;ok;tcp dport { 443, 23, 80} accept
tcp dport vmap { 22 : accept, 23 : drop };ok
tcp dport vmap { 25:accept, 28:drop };ok
@@ -30,8 +28,6 @@ tcp sport 33-45;ok
tcp sport != 33-45;ok
tcp sport { 33, 55, 67, 88};ok
tcp sport != { 33, 55, 67, 88};ok
-tcp sport { 33-55};ok
-tcp sport != { 33-55};ok
tcp sport vmap { 25:accept, 28:drop };ok
tcp sport 8080 drop;ok
@@ -47,8 +43,6 @@ tcp sequence 33-45;ok
tcp sequence != 33-45;ok
tcp sequence { 33, 55, 67, 88};ok
tcp sequence != { 33, 55, 67, 88};ok
-tcp sequence { 33-55};ok
-tcp sequence != { 33-55};ok
tcp ackseq 42949672 drop;ok
tcp ackseq 22;ok
@@ -57,8 +51,6 @@ tcp ackseq 33-45;ok
tcp ackseq != 33-45;ok
tcp ackseq { 33, 55, 67, 88};ok
tcp ackseq != { 33, 55, 67, 88};ok
-tcp ackseq { 33-55};ok
-tcp ackseq != { 33-55};ok
- tcp doff 22;ok
- tcp doff != 233;ok
@@ -66,8 +58,6 @@ tcp ackseq != { 33-55};ok
- tcp doff != 33-45;ok
- tcp doff { 33, 55, 67, 88};ok
- tcp doff != { 33, 55, 67, 88};ok
-- tcp doff { 33-55};ok
-- tcp doff != { 33-55};ok
# BUG reserved
# BUG: It is accepted but it is not shown then. tcp reserver
@@ -77,7 +67,7 @@ tcp flags != { fin, urg, ecn, cwr} drop;ok
tcp flags cwr;ok
tcp flags != cwr;ok
tcp flags == syn;ok
-tcp flags & (syn|fin) == (syn|fin);ok;tcp flags & (fin | syn) == fin | syn
+tcp flags fin,syn / fin,syn;ok
tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr;ok;tcp flags == 0xff
tcp flags { syn, syn | ack };ok
tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack };ok
@@ -90,8 +80,6 @@ tcp window 33-45;ok
tcp window != 33-45;ok
tcp window { 33, 55, 67, 88};ok
tcp window != { 33, 55, 67, 88};ok
-tcp window { 33-55};ok
-tcp window != { 33-55};ok
tcp checksum 22;ok
tcp checksum != 233;ok
@@ -99,8 +87,6 @@ tcp checksum 33-45;ok
tcp checksum != 33-45;ok
tcp checksum { 33, 55, 67, 88};ok
tcp checksum != { 33, 55, 67, 88};ok
-tcp checksum { 33-55};ok
-tcp checksum != { 33-55};ok
tcp urgptr 1234 accept;ok
tcp urgptr 22;ok
@@ -109,7 +95,5 @@ tcp urgptr 33-45;ok
tcp urgptr != 33-45;ok
tcp urgptr { 33, 55, 67, 88};ok
tcp urgptr != { 33, 55, 67, 88};ok
-tcp urgptr { 33-55};ok
-tcp urgptr != { 33-55};ok
tcp doff 8;ok
diff --git a/tests/py/inet/tcp.t.json b/tests/py/inet/tcp.t.json
index 922ab91c..8c2a376b 100644
--- a/tests/py/inet/tcp.t.json
+++ b/tests/py/inet/tcp.t.json
@@ -112,46 +112,6 @@
}
]
-# tcp dport { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# tcp dport != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "tcp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# tcp dport {telnet, http, https} accept
[
{
@@ -397,46 +357,6 @@
}
]
-# tcp sport { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# tcp sport != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "tcp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# tcp sport vmap { 25:accept, 28:drop }
[
{
@@ -753,46 +673,6 @@
}
]
-# tcp sequence { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# tcp sequence != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "tcp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# tcp ackseq 42949672 drop
[
{
@@ -926,46 +806,6 @@
}
]
-# tcp ackseq { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "ackseq",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# tcp ackseq != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "ackseq",
- "protocol": "tcp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
[
{
@@ -1254,46 +1094,6 @@
}
]
-# tcp window { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "window",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# tcp window != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "window",
- "protocol": "tcp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# tcp checksum 22
[
{
@@ -1408,46 +1208,6 @@
}
]
-# tcp checksum { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# tcp checksum != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "tcp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# tcp urgptr 1234 accept
[
{
@@ -1581,46 +1341,6 @@
}
]
-# tcp urgptr { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "urgptr",
- "protocol": "tcp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# tcp urgptr != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "urgptr",
- "protocol": "tcp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# tcp doff 8
[
{
@@ -1749,3 +1469,30 @@
}
}
]
+
+# tcp flags fin,syn / fin,syn
+[
+ {
+ "match": {
+ "left": {
+ "&": [
+ {
+ "payload": {
+ "field": "flags",
+ "protocol": "tcp"
+ }
+ },
+ [
+ "fin",
+ "syn"
+ ]
+ ]
+ },
+ "op": "==",
+ "right": [
+ "fin",
+ "syn"
+ ]
+ }
+ }
+]
diff --git a/tests/py/inet/tcp.t.payload b/tests/py/inet/tcp.t.payload
index da932b6d..ee61b1a7 100644
--- a/tests/py/inet/tcp.t.payload
+++ b/tests/py/inet/tcp.t.payload
@@ -47,26 +47,6 @@ inet test-inet input
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# tcp dport { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# tcp dport != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# tcp dport {telnet, http, https} accept
__set%d test-inet 3
__set%d test-inet 0
@@ -167,26 +147,6 @@ inet test-inet input
[ payload load 2b @ transport header + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# tcp sport { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# tcp sport != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# tcp sport vmap { 25:accept, 28:drop }
__map%d test-inet b
__map%d test-inet 0
@@ -293,26 +253,6 @@ inet test-inet input
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# tcp sequence { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# tcp sequence != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# tcp ackseq 42949672 drop
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -370,26 +310,6 @@ inet test-inet input
[ payload load 4b @ transport header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# tcp ackseq { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 4b @ transport header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# tcp ackseq != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 4b @ transport header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop
__set%d test-inet 3
__set%d test-inet 0
@@ -434,7 +354,7 @@ inet test-inet input
[ payload load 1b @ transport header + 13 => reg 1 ]
[ cmp eq reg 1 0x00000002 ]
-# tcp flags & (syn|fin) == (syn|fin)
+# tcp flags fin,syn / fin,syn
inet test-inet input
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
@@ -506,26 +426,6 @@ inet test-inet input
[ payload load 2b @ transport header + 14 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# tcp window { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 14 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# tcp window != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 14 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# tcp checksum 22
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -575,26 +475,6 @@ inet test-inet input
[ payload load 2b @ transport header + 16 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# tcp checksum { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# tcp checksum != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# tcp urgptr 1234 accept
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -652,26 +532,6 @@ inet test-inet input
[ payload load 2b @ transport header + 18 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# tcp urgptr { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 18 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# tcp urgptr != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000006 ]
- [ payload load 2b @ transport header + 18 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# tcp doff 8
inet test-inet input
[ meta load l4proto => reg 1 ]
diff --git a/tests/py/inet/udp.t b/tests/py/inet/udp.t
index 4e3eaa51..c434f2ed 100644
--- a/tests/py/inet/udp.t
+++ b/tests/py/inet/udp.t
@@ -12,8 +12,6 @@ udp sport 50-70 accept;ok
udp sport != 50-60 accept;ok
udp sport { 49, 50} drop;ok
udp sport != { 50, 60} accept;ok
-udp sport { 12-40};ok
-udp sport != { 13-24};ok
udp dport set {1, 2, 3};fail
@@ -23,8 +21,6 @@ udp dport 70-75 accept;ok
udp dport != 50-60 accept;ok
udp dport { 49, 50} drop;ok
udp dport != { 50, 60} accept;ok
-udp dport { 70-75} accept;ok
-udp dport != { 50-60} accept;ok
udp length 6666;ok
udp length != 6666;ok
@@ -32,8 +28,6 @@ udp length 50-65 accept;ok
udp length != 50-65 accept;ok
udp length { 50, 65} accept;ok
udp length != { 50, 65} accept;ok
-udp length { 35-50};ok
-udp length != { 35-50};ok
udp checksum 6666 drop;ok
udp checksum != { 444, 555} accept;ok
@@ -44,8 +38,6 @@ udp checksum 33-45;ok
udp checksum != 33-45;ok
udp checksum { 33, 55, 67, 88};ok
udp checksum != { 33, 55, 67, 88};ok
-udp checksum { 33-55};ok
-udp checksum != { 33-55};ok
# limit impact to lo
iif "lo" udp checksum set 0;ok
diff --git a/tests/py/inet/udp.t.json b/tests/py/inet/udp.t.json
index f8826640..665998ec 100644
--- a/tests/py/inet/udp.t.json
+++ b/tests/py/inet/udp.t.json
@@ -126,46 +126,6 @@
}
]
-# udp sport { 12-40}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "udp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 12, 40 ] }
- ]
- }
- }
- }
-]
-
-# udp sport != { 13-24}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "udp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 13, 24 ] }
- ]
- }
- }
- }
-]
-
# udp dport 80 accept
[
{
@@ -294,52 +254,6 @@
}
]
-# udp dport { 70-75} accept
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "udp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 70, 75 ] }
- ]
- }
- }
- },
- {
- "accept": null
- }
-]
-
-# udp dport != { 50-60} accept
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "udp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 50, 60 ] }
- ]
- }
- }
- },
- {
- "accept": null
- }
-]
-
# udp length 6666
[
{
@@ -462,46 +376,6 @@
}
]
-# udp length { 35-50}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "length",
- "protocol": "udp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 35, 50 ] }
- ]
- }
- }
- }
-]
-
-# udp length != { 35-50}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "length",
- "protocol": "udp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 35, 50 ] }
- ]
- }
- }
- }
-]
-
# udp checksum 6666 drop
[
{
@@ -659,46 +533,6 @@
}
]
-# udp checksum { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "udp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# udp checksum != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "udp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# iif "lo" udp checksum set 0
[
{
diff --git a/tests/py/inet/udp.t.payload b/tests/py/inet/udp.t.payload
index d91eb784..e6beda7f 100644
--- a/tests/py/inet/udp.t.payload
+++ b/tests/py/inet/udp.t.payload
@@ -53,26 +53,6 @@ inet test-inet input
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
-# udp sport { 12-40}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# udp sport != { 13-24}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000d00 : 0 [end] element 00001900 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# udp dport 80 accept
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -128,28 +108,6 @@ inet test-inet input
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
-# udp dport { 70-75} accept
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ immediate reg 0 accept ]
-
-# udp dport != { 50-60} accept
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00003200 : 0 [end] element 00003d00 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
- [ immediate reg 0 accept ]
-
# udp length 6666
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -203,26 +161,6 @@ inet test-inet input
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
-# udp length { 35-50}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ payload load 2b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# udp length != { 35-50}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002300 : 0 [end] element 00003300 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ payload load 2b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# udp checksum 6666 drop
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -291,26 +229,6 @@ inet test-inet input
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# udp checksum { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# udp checksum != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000011 ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# iif "lo" udp checksum set 0
inet test-inet input
[ meta load iif => reg 1 ]
diff --git a/tests/py/inet/udplite.t b/tests/py/inet/udplite.t
index 7c22acb9..a8fdc8ea 100644
--- a/tests/py/inet/udplite.t
+++ b/tests/py/inet/udplite.t
@@ -12,8 +12,6 @@ udplite sport 50-70 accept;ok
udplite sport != 50-60 accept;ok
udplite sport { 49, 50} drop;ok
udplite sport != { 49, 50} accept;ok
-udplite sport { 12-40};ok
-udplite sport != { 12-40};ok
udplite dport 80 accept;ok
udplite dport != 60 accept;ok
@@ -21,8 +19,6 @@ udplite dport 70-75 accept;ok
udplite dport != 50-60 accept;ok
udplite dport { 49, 50} drop;ok
udplite dport != { 49, 50} accept;ok
-udplite dport { 70-75} accept;ok
-udplite dport != { 70-75} accept;ok
- udplite csumcov 6666;ok
- udplite csumcov != 6666;ok
@@ -30,8 +26,6 @@ udplite dport != { 70-75} accept;ok
- udplite csumcov != 50-65 accept;ok
- udplite csumcov { 50, 65} accept;ok
- udplite csumcov != { 50, 65} accept;ok
-- udplite csumcov { 35-50};ok
-- udplite csumcov != { 35-50};ok
udplite checksum 6666 drop;ok
udplite checksum != { 444, 555} accept;ok
@@ -41,5 +35,3 @@ udplite checksum 33-45;ok
udplite checksum != 33-45;ok
udplite checksum { 33, 55, 67, 88};ok
udplite checksum != { 33, 55, 67, 88};ok
-udplite checksum { 33-55};ok
-udplite checksum != { 33-55};ok
diff --git a/tests/py/inet/udplite.t.json b/tests/py/inet/udplite.t.json
index f56bee47..713a534f 100644
--- a/tests/py/inet/udplite.t.json
+++ b/tests/py/inet/udplite.t.json
@@ -126,46 +126,6 @@
}
]
-# udplite sport { 12-40}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "udplite"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 12, 40 ] }
- ]
- }
- }
- }
-]
-
-# udplite sport != { 12-40}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sport",
- "protocol": "udplite"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 12, 40 ] }
- ]
- }
- }
- }
-]
-
# udplite dport 80 accept
[
{
@@ -294,52 +254,6 @@
}
]
-# udplite dport { 70-75} accept
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "udplite"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 70, 75 ] }
- ]
- }
- }
- },
- {
- "accept": null
- }
-]
-
-# udplite dport != { 70-75} accept
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "dport",
- "protocol": "udplite"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 70, 75 ] }
- ]
- }
- }
- },
- {
- "accept": null
- }
-]
-
# udplite checksum 6666 drop
[
{
@@ -497,43 +411,3 @@
}
]
-# udplite checksum { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "udplite"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# udplite checksum != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "udplite"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
diff --git a/tests/py/inet/udplite.t.payload b/tests/py/inet/udplite.t.payload
index eb3dc075..de9d09ed 100644
--- a/tests/py/inet/udplite.t.payload
+++ b/tests/py/inet/udplite.t.payload
@@ -53,26 +53,6 @@ inet test-inet input
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
-# udplite sport { 12-40}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000088 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# udplite sport != { 12-40}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000c00 : 0 [end] element 00002900 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000088 ]
- [ payload load 2b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# udplite dport 80 accept
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -128,28 +108,6 @@ inet test-inet input
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
-# udplite dport { 70-75} accept
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000088 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ immediate reg 0 accept ]
-
-# udplite dport != { 70-75} accept
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00004600 : 0 [end] element 00004c00 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000088 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
- [ immediate reg 0 accept ]
-
# udplite checksum 6666 drop
inet test-inet input
[ meta load l4proto => reg 1 ]
@@ -218,23 +176,3 @@ inet test-inet input
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# udplite checksum { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000088 ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# udplite checksum != { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000088 ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
diff --git a/tests/py/ip/dnat.t b/tests/py/ip/dnat.t
index 089017c8..c5ca4c40 100644
--- a/tests/py/ip/dnat.t
+++ b/tests/py/ip/dnat.t
@@ -8,6 +8,13 @@ iifname "eth0" tcp dport {80, 90, 23} dnat to 192.168.3.2;ok
iifname "eth0" tcp dport != {80, 90, 23} dnat to 192.168.3.2;ok
iifname "eth0" tcp dport != 23-34 dnat to 192.168.3.2;ok
iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080;ok
+iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999;ok
+iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080;ok
+iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999;ok
dnat to ct mark map { 0x00000014 : 1.2.3.4};ok
dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
+
+dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 };ok
+dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 };ok
+dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 };ok
diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip
index dd18dae2..4872545a 100644
--- a/tests/py/ip/dnat.t.payload.ip
+++ b/tests/py/ip/dnat.t.payload.ip
@@ -91,3 +91,79 @@ ip test-ip4 output
[ lookup reg 1 set __map%d dreg 1 ]
[ nat dnat ip addr_min reg 1 ]
+# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 8888 - 8999 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+ element 0201a8c0 00005000 : 000a8d0a 0000b822 ff0a8d0a 00002723 0 [end]
+ip
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
+
+# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24 . 80 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+ element 0201a8c0 00005000 : 000a8d0a 00005000 ff0a8d0a 00005000 0 [end]
+ip
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
+
+# dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+ element 0201a8c0 00005000 : 020a8d0a 0000b822 020a8d0a 00002723 0 [end]
+ip
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 2b @ transport header + 2 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 10 proto_min reg 9 proto_max reg 11 ]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2:8080-8999
+ip
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00005100 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ immediate reg 2 0x0000901f ]
+ [ immediate reg 3 0x00002723 ]
+ [ nat dnat ip addr_min reg 1 proto_min reg 2 proto_max reg 3 flags 0x2 ]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080
+ip
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00005100 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ immediate reg 2 0x0403a8c0 ]
+ [ immediate reg 3 0x0000901f ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 flags 0x2 ]
+
+# iifname "eth0" tcp dport 81 dnat to 192.168.3.2-192.168.3.4:8080-8999
+ip
+ [ meta load iifname => reg 1 ]
+ [ cmp eq reg 1 0x30687465 0x00000000 0x00000000 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp eq reg 1 0x00005100 ]
+ [ immediate reg 1 0x0203a8c0 ]
+ [ immediate reg 2 0x0403a8c0 ]
+ [ immediate reg 3 0x0000901f ]
+ [ immediate reg 4 0x00002723 ]
+ [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ]
+
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
index 11f3662e..7ddf8b38 100644
--- a/tests/py/ip/icmp.t
+++ b/tests/py/ip/icmp.t
@@ -26,8 +26,6 @@ icmp code 111 accept;ok
icmp code != 111 accept;ok
icmp code 33-55;ok
icmp code != 33-55;ok
-icmp code { 33-55};ok
-icmp code != { 33-55};ok
icmp code { 2, 4, 54, 33, 56};ok;icmp code { prot-unreachable, frag-needed, 33, 54, 56}
icmp code != { prot-unreachable, frag-needed, 33, 54, 56};ok
@@ -35,8 +33,6 @@ icmp checksum 12343 accept;ok
icmp checksum != 12343 accept;ok
icmp checksum 11-343 accept;ok
icmp checksum != 11-343 accept;ok
-icmp checksum { 11-343} accept;ok
-icmp checksum != { 11-343} accept;ok
icmp checksum { 1111, 222, 343} accept;ok
icmp checksum != { 1111, 222, 343} accept;ok
@@ -45,8 +41,6 @@ icmp id 22;ok;icmp type { echo-reply, echo-request} icmp id 22
icmp id != 233;ok;icmp type { echo-reply, echo-request} icmp id != 233
icmp id 33-45;ok;icmp type { echo-reply, echo-request} icmp id 33-45
icmp id != 33-45;ok;icmp type { echo-reply, echo-request} icmp id != 33-45
-icmp id { 33-55};ok;icmp type { echo-reply, echo-request} icmp id { 33-55}
-icmp id != { 33-55};ok;icmp type { echo-reply, echo-request} icmp id != { 33-55}
icmp id { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id { 22, 34, 333}
icmp id != { 22, 34, 333};ok;icmp type { echo-request, echo-reply} icmp id != { 22, 34, 333}
@@ -57,23 +51,18 @@ icmp sequence 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence 33-45
icmp sequence != 33-45;ok;icmp type { echo-reply, echo-request} icmp sequence != 33-45
icmp sequence { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence { 33, 55, 67, 88}
icmp sequence != { 33, 55, 67, 88};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33, 55, 67, 88}
-icmp sequence { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence { 33-55}
-icmp sequence != { 33-55};ok;icmp type { echo-request, echo-reply} icmp sequence != { 33-55}
icmp id 1 icmp sequence 2;ok;icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2;ok
+icmp type echo-reply icmp id 1;ok
icmp mtu 33;ok
icmp mtu 22-33;ok
-icmp mtu { 22-33};ok
-icmp mtu != { 22-33};ok
icmp mtu 22;ok
icmp mtu != 233;ok
icmp mtu 33-45;ok
icmp mtu != 33-45;ok
icmp mtu { 33, 55, 67, 88};ok
icmp mtu != { 33, 55, 67, 88};ok
-icmp mtu { 33-55};ok
-icmp mtu != { 33-55};ok
icmp gateway 22;ok
icmp gateway != 233;ok
@@ -81,8 +70,6 @@ icmp gateway 33-45;ok
icmp gateway != 33-45;ok
icmp gateway { 33, 55, 67, 88};ok
icmp gateway != { 33, 55, 67, 88};ok
-icmp gateway { 33-55};ok
-icmp gateway != { 33-55};ok
icmp gateway != 34;ok
icmp gateway != { 333, 334};ok
diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json
index 12b53b0f..4f052509 100644
--- a/tests/py/ip/icmp.t.json
+++ b/tests/py/ip/icmp.t.json
@@ -422,56 +422,6 @@
}
]
-# icmp code { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "code",
- "protocol": "icmp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
- }
- }
-]
-
-# icmp code != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "code",
- "protocol": "icmp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
- }
- }
-]
-
# icmp code { 2, 4, 54, 33, 56}
[
{
@@ -606,62 +556,6 @@
}
]
-# icmp checksum { 11-343} accept
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "icmp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [
- 11,
- 343
- ]
- }
- ]
- }
- }
- },
- {
- "accept": null
- }
-]
-
-# icmp checksum != { 11-343} accept
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "icmp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- {
- "range": [
- 11,
- 343
- ]
- }
- ]
- }
- }
- },
- {
- "accept": null
- }
-]
-
# icmp checksum { 1111, 222, 343} accept
[
{
@@ -839,73 +733,6 @@
}
]
-# icmp id { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "id",
- "protocol": "icmp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
- }
- }
-]
-
-# icmp id != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
- "protocol": "icmp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- "echo-reply",
- "echo-request"
- ]
- }
- }
- },
- {
- "match": {
- "left": {
- "payload": {
- "field": "id",
- "protocol": "icmp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
- }
- }
-]
-
# icmp id { 22, 34, 333}
[
{
@@ -1206,7 +1033,7 @@
}
]
-# icmp sequence { 33-55}
+# icmp id 1 icmp sequence 2
[
{
"match": {
@@ -1229,42 +1056,12 @@
"match": {
"left": {
"payload": {
- "field": "sequence",
- "protocol": "icmp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
- }
- }
-]
-
-# icmp sequence != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "type",
+ "field": "id",
"protocol": "icmp"
}
},
"op": "==",
- "right": {
- "set": [
- "echo-reply",
- "echo-request"
- ]
- }
+ "right": 1
}
},
{
@@ -1275,22 +1072,13 @@
"protocol": "icmp"
}
},
- "op": "!=",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
+ "op": "==",
+ "right": 2
}
}
]
-# icmp id 1 icmp sequence 2
+# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
[
{
"match": {
@@ -1335,7 +1123,7 @@
}
]
-# icmp type { echo-reply, echo-request} icmp id 1 icmp sequence 2
+# icmp type echo-reply icmp id 1
[
{
"match": {
@@ -1346,12 +1134,7 @@
}
},
"op": "==",
- "right": {
- "set": [
- "echo-reply",
- "echo-request"
- ]
- }
+ "right": "echo-reply"
}
},
{
@@ -1365,18 +1148,6 @@
"op": "==",
"right": 1
}
- },
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "icmp"
- }
- },
- "op": "==",
- "right": 2
- }
}
]
@@ -1417,56 +1188,6 @@
}
]
-# icmp mtu { 22-33}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "mtu",
- "protocol": "icmp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [
- 22,
- 33
- ]
- }
- ]
- }
- }
- }
-]
-
-# icmp mtu != { 22-33}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "mtu",
- "protocol": "icmp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- {
- "range": [
- 22,
- 33
- ]
- }
- ]
- }
- }
- }
-]
-
# icmp mtu 22
[
{
@@ -1587,56 +1308,6 @@
}
]
-# icmp mtu { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "mtu",
- "protocol": "icmp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
- }
- }
-]
-
-# icmp mtu != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "mtu",
- "protocol": "icmp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
- }
- }
-]
-
# icmp gateway 22
[
{
@@ -1757,56 +1428,6 @@
}
]
-# icmp gateway { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "gateway",
- "protocol": "icmp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
- }
- }
-]
-
-# icmp gateway != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "gateway",
- "protocol": "icmp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- {
- "range": [
- 33,
- 55
- ]
- }
- ]
- }
- }
- }
-]
-
# icmp gateway != 34
[
{
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
index dccff4c0..3bc6de3c 100644
--- a/tests/py/ip/icmp.t.payload.ip
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -143,26 +143,6 @@ ip test-ip4 input
[ payload load 1b @ transport header + 1 => reg 1 ]
[ range neq reg 1 0x00000021 0x00000037 ]
-# icmp code { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmp code != { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmp code { 2, 4, 54, 33, 56}
__set%d test-ip4 3
__set%d test-ip4 0
@@ -216,28 +196,6 @@ ip test-ip4 input
[ range neq reg 1 0x00000b00 0x00005701 ]
[ immediate reg 0 accept ]
-# icmp checksum { 11-343} accept
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ immediate reg 0 accept ]
-
-# icmp checksum != { 11-343} accept
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
- [ immediate reg 0 accept ]
-
# icmp checksum { 1111, 222, 343} accept
__set%d test-ip4 3
__set%d test-ip4 0
@@ -322,36 +280,6 @@ ip test-ip4 input
[ payload load 2b @ transport header + 4 => reg 1 ]
[ range neq reg 1 0x00002100 0x00002d00 ]
-# icmp id { 33-55}
-__set%d test-ip4 3
-__set%d test-ip4 0
- element 00000008 : 0 [end] element 00000000 : 0 [end]
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ payload load 2b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmp id != { 33-55}
-__set%d test-ip4 3
-__set%d test-ip4 0
- element 00000008 : 0 [end] element 00000000 : 0 [end]
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ payload load 2b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmp id { 22, 34, 333}
__set%d test-ip4 3
__set%d test-ip4 0
@@ -461,36 +389,6 @@ ip test-ip4 input
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# icmp sequence { 33-55}
-__set%d test-ip4 3
-__set%d test-ip4 0
- element 00000008 : 0 [end] element 00000000 : 0 [end]
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmp sequence != { 33-55}
-__set%d test-ip4 3
-__set%d test-ip4 0
- element 00000008 : 0 [end] element 00000000 : 0 [end]
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmp id 1 icmp sequence 2
__set%d test-ip4 3
__set%d test-ip4 0
@@ -515,6 +413,15 @@ ip
[ payload load 4b @ transport header + 4 => reg 1 ]
[ cmp eq reg 1 0x02000100 ]
+# icmp type echo-reply icmp id 1
+ip
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 1b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
+ [ payload load 2b @ transport header + 4 => reg 1 ]
+ [ cmp eq reg 1 0x00000100 ]
+
# icmp mtu 33
ip test-ip4 input
[ meta load l4proto => reg 1 ]
@@ -534,30 +441,6 @@ ip test-ip4 input
[ cmp gte reg 1 0x00001600 ]
[ cmp lte reg 1 0x00002100 ]
-# icmp mtu { 22-33}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00001600 : 0 [end] element 00002200 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000003 ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmp mtu != { 22-33}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00001600 : 0 [end] element 00002200 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000003 ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmp mtu 22
ip test-ip4 input
[ meta load l4proto => reg 1 ]
@@ -619,30 +502,6 @@ ip test-ip4 input
[ payload load 2b @ transport header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# icmp mtu { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000003 ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmp mtu != { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000003 ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmp gateway 22
ip test-ip4 input
[ meta load l4proto => reg 1 ]
@@ -704,30 +563,6 @@ ip test-ip4 input
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# icmp gateway { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000005 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmp gateway != { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000001 ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000005 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmp gateway != 34
ip test-ip4 input
[ meta load l4proto => reg 1 ]
diff --git a/tests/py/ip/igmp.t b/tests/py/ip/igmp.t
index 939dcc32..a556e475 100644
--- a/tests/py/ip/igmp.t
+++ b/tests/py/ip/igmp.t
@@ -16,8 +16,6 @@ igmp checksum 12343;ok
igmp checksum != 12343;ok
igmp checksum 11-343;ok
igmp checksum != 11-343;ok
-igmp checksum { 11-343};ok
-igmp checksum != { 11-343};ok
igmp checksum { 1111, 222, 343};ok
igmp checksum != { 1111, 222, 343};ok
diff --git a/tests/py/ip/igmp.t.json b/tests/py/ip/igmp.t.json
index 66dd3bb7..0e2a43f3 100644
--- a/tests/py/ip/igmp.t.json
+++ b/tests/py/ip/igmp.t.json
@@ -196,56 +196,6 @@
}
]
-# igmp checksum { 11-343}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "igmp"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [
- 11,
- 343
- ]
- }
- ]
- }
- }
- }
-]
-
-# igmp checksum != { 11-343}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "igmp"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- {
- "range": [
- 11,
- 343
- ]
- }
- ]
- }
- }
- }
-]
-
# igmp checksum { 1111, 222, 343}
[
{
diff --git a/tests/py/ip/igmp.t.payload b/tests/py/ip/igmp.t.payload
index b5207475..940fe2cd 100644
--- a/tests/py/ip/igmp.t.payload
+++ b/tests/py/ip/igmp.t.payload
@@ -62,26 +62,6 @@ ip test-ip4 input
[ payload load 2b @ transport header + 2 => reg 1 ]
[ range neq reg 1 0x00000b00 0x00005701 ]
-# igmp checksum { 11-343}
-__set%d test-ip4 7 size 3
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# igmp checksum != { 11-343}
-__set%d test-ip4 7 size 3
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000b00 : 0 [end] element 00005801 : 1 [end]
-ip test-ip4 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# igmp checksum { 1111, 222, 343}
__set%d test-ip4 3 size 3
__set%d test-ip4 0
diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t
index 04aada2d..f4a3667c 100644
--- a/tests/py/ip/ip.t
+++ b/tests/py/ip/ip.t
@@ -39,8 +39,6 @@ ip length 333-435;ok
ip length != 333-453;ok
ip length { 333, 553, 673, 838};ok
ip length != { 333, 553, 673, 838};ok
-ip length { 333-535};ok
-ip length != { 333-535};ok
ip id 22;ok
ip id != 233;ok
@@ -48,8 +46,6 @@ ip id 33-45;ok
ip id != 33-45;ok
ip id { 33, 55, 67, 88};ok
ip id != { 33, 55, 67, 88};ok
-ip id { 33-55};ok
-ip id != { 33-55};ok
ip frag-off 222 accept;ok
ip frag-off != 233;ok
@@ -57,8 +53,6 @@ ip frag-off 33-45;ok
ip frag-off != 33-45;ok
ip frag-off { 33, 55, 67, 88};ok
ip frag-off != { 33, 55, 67, 88};ok
-ip frag-off { 33-55};ok
-ip frag-off != { 33-55};ok
ip ttl 0 drop;ok
ip ttl 233;ok
@@ -66,8 +60,6 @@ ip ttl 33-55;ok
ip ttl != 45-50;ok
ip ttl {43, 53, 45 };ok
ip ttl != {43, 53, 45 };ok
-ip ttl { 33-55};ok
-ip ttl != { 33-55};ok
ip protocol tcp;ok;ip protocol 6
ip protocol != tcp;ok;ip protocol != 6
@@ -84,8 +76,6 @@ ip checksum 33-45;ok
ip checksum != 33-45;ok
ip checksum { 33, 55, 67, 88};ok
ip checksum != { 33, 55, 67, 88};ok
-ip checksum { 33-55};ok
-ip checksum != { 33-55};ok
ip saddr set {192.19.1.2, 191.1.22.1};fail
@@ -99,8 +89,6 @@ ip daddr 10.0.0.0-10.255.255.255;ok
ip daddr 172.16.0.0-172.31.255.255;ok
ip daddr 192.168.3.1-192.168.4.250;ok
ip daddr != 192.168.0.1-192.168.0.250;ok
-ip daddr { 192.168.0.1-192.168.0.250};ok
-ip daddr != { 192.168.0.1-192.168.0.250};ok
ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept;ok
@@ -135,3 +123,6 @@ iif "lo" ip protocol set 1;ok
iif "lo" ip dscp set af23;ok
iif "lo" ip dscp set cs0;ok
+
+ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 };ok
+ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept };ok
diff --git a/tests/py/ip/ip.t.json b/tests/py/ip/ip.t.json
index 3131ab79..b1085035 100644
--- a/tests/py/ip/ip.t.json
+++ b/tests/py/ip/ip.t.json
@@ -270,46 +270,6 @@
}
]
-# ip length { 333-535}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "length",
- "protocol": "ip"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 333, 535 ] }
- ]
- }
- }
- }
-]
-
-# ip length != { 333-535}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "length",
- "protocol": "ip"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 333, 535 ] }
- ]
- }
- }
- }
-]
-
# ip id 22
[
{
@@ -424,46 +384,6 @@
}
]
-# ip id { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "id",
- "protocol": "ip"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# ip id != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "id",
- "protocol": "ip"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# ip frag-off 222 accept
[
{
@@ -581,46 +501,6 @@
}
]
-# ip frag-off { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "frag-off",
- "protocol": "ip"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# ip frag-off != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "frag-off",
- "protocol": "ip"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# ip ttl 0 drop
[
{
@@ -736,46 +616,6 @@
}
]
-# ip ttl { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "ttl",
- "protocol": "ip"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# ip ttl != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "ttl",
- "protocol": "ip"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# ip protocol tcp
[
{
@@ -1019,46 +859,6 @@
}
]
-# ip checksum { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "ip"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# ip checksum != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "ip"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# ip saddr 192.168.2.0/24
[
{
@@ -1251,46 +1051,6 @@
}
]
-# ip daddr { 192.168.0.1-192.168.0.250}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "daddr",
- "protocol": "ip"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ "192.168.0.1", "192.168.0.250" ] }
- ]
- }
- }
- }
-]
-
-# ip daddr != { 192.168.0.1-192.168.0.250}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "daddr",
- "protocol": "ip"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ "192.168.0.1", "192.168.0.250" ] }
- ]
- }
- }
- }
-]
-
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
[
{
@@ -1836,3 +1596,92 @@
}
]
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+[
+ {
+ "match": {
+ "left": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ }
+ ]
+ },
+ "op": "==",
+ "right": {
+ "set": [
+ {
+ "concat": [
+ "192.0.2.1",
+ {
+ "range": [
+ "10.0.0.1",
+ "10.0.0.2"
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }
+]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+[
+ {
+ "vmap": {
+ "data": {
+ "set": [
+ [
+ {
+ "concat": [
+ {
+ "range": [
+ "192.168.5.1",
+ "192.168.5.128"
+ ]
+ },
+ {
+ "range": [
+ "192.168.6.1",
+ "192.168.6.128"
+ ]
+ }
+ ]
+ },
+ {
+ "accept": null
+ }
+ ]
+ ]
+ },
+ "key": {
+ "concat": [
+ {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ }
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload
index bbff508b..49d1a0fb 100644
--- a/tests/py/ip/ip.t.payload
+++ b/tests/py/ip/ip.t.payload
@@ -87,22 +87,6 @@ ip test-ip4 input
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip length { 333-535}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
-ip test-ip4 input
- [ payload load 2b @ network header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip length != { 333-535}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
-ip test-ip4 input
- [ payload load 2b @ network header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip id 22
ip test-ip4 input
[ payload load 2b @ network header + 4 => reg 1 ]
@@ -140,22 +124,6 @@ ip test-ip4 input
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip id { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip id != { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip frag-off 222 accept
ip test-ip4 input
[ payload load 2b @ network header + 6 => reg 1 ]
@@ -194,22 +162,6 @@ ip test-ip4 input
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip frag-off { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ payload load 2b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip frag-off != { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ payload load 2b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip ttl 0 drop
ip test-ip4 input
[ payload load 1b @ network header + 8 => reg 1 ]
@@ -248,22 +200,6 @@ ip test-ip4 input
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip ttl { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip test-ip4 input
- [ payload load 1b @ network header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip ttl != { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip test-ip4 input
- [ payload load 1b @ network header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip protocol tcp
ip test-ip4 input
[ payload load 1b @ network header + 9 => reg 1 ]
@@ -340,22 +276,6 @@ ip test-ip4 input
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip checksum { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ payload load 2b @ network header + 10 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip checksum != { 33-55}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip test-ip4 input
- [ payload load 2b @ network header + 10 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip saddr 192.168.2.0/24
ip test-ip4 input
[ payload load 3b @ network header + 12 => reg 1 ]
@@ -412,22 +332,6 @@ ip test-ip4 input
[ payload load 4b @ network header + 16 => reg 1 ]
[ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
-# ip daddr { 192.168.0.1-192.168.0.250}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
-ip test-ip4 input
- [ payload load 4b @ network header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip daddr != { 192.168.0.1-192.168.0.250}
-__set%d test-ip4 7
-__set%d test-ip4 0
- element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
-ip test-ip4 input
- [ payload load 4b @ network header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
__set%d test-ip4 3
__set%d test-ip4 0
@@ -602,3 +506,20 @@ ip test-ip4 input
[ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ]
[ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ]
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+__set%d test-ip4 87 size 1
+__set%d test-ip4 0
+ element 010200c0 0100000a - 010200c0 0200000a : 0 [end]
+ip
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+__map%d test-ip4 8f size 1
+__map%d test-ip4 0
+ element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end]
+ip
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge
index 33c9654f..dac86543 100644
--- a/tests/py/ip/ip.t.payload.bridge
+++ b/tests/py/ip/ip.t.payload.bridge
@@ -113,26 +113,6 @@ bridge test-bridge input
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip length { 333-535}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip length != { 333-535}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip id 22
bridge test-bridge input
[ meta load protocol => reg 1 ]
@@ -182,26 +162,6 @@ bridge test-bridge input
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip id { 33-55}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip id != { 33-55}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip frag-off 222 accept
bridge test-bridge input
[ meta load protocol => reg 1 ]
@@ -252,26 +212,6 @@ bridge test-bridge input
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip frag-off { 33-55}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip frag-off != { 33-55}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip ttl 0 drop
bridge test-bridge input
[ meta load protocol => reg 1 ]
@@ -322,26 +262,6 @@ bridge test-bridge input
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip ttl { 33-55}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 1b @ network header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip ttl != { 33-55}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 1b @ network header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip protocol tcp
bridge test-bridge input
[ meta load protocol => reg 1 ]
@@ -442,26 +362,6 @@ bridge test-bridge input
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip checksum { 33-55}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 10 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip checksum != { 33-55}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 10 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip saddr 192.168.2.0/24
bridge test-bridge input
[ meta load protocol => reg 1 ]
@@ -538,26 +438,6 @@ bridge test-bridge input
[ payload load 4b @ network header + 16 => reg 1 ]
[ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
-# ip daddr { 192.168.0.1-192.168.0.250}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 4b @ network header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip daddr != { 192.168.0.1-192.168.0.250}
-__set%d test-bridge 7 size 3
-__set%d test-bridge 0
- element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
-bridge test-bridge input
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 4b @ network header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
__set%d test-bridge 3 size 3
__set%d test-bridge 0
@@ -782,3 +662,25 @@ bridge test-bridge input
[ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ]
[ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ]
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+__set%d test-bridge 87 size 1
+__set%d test-bridge 0
+ element 010200c0 0100000a - 010200c0 0200000a : 0 [end]
+bridge
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+__map%d test-bridge 8f size 1
+__map%d test-bridge 0
+ element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end]
+bridge
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet
index 0d387da9..64371650 100644
--- a/tests/py/ip/ip.t.payload.inet
+++ b/tests/py/ip/ip.t.payload.inet
@@ -113,26 +113,6 @@ inet test-inet input
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip length { 333-535}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ network header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip length != { 333-535}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ network header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip id 22
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -182,26 +162,6 @@ inet test-inet input
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip id { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip id != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip frag-off 222 accept
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -252,26 +212,6 @@ inet test-inet input
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip frag-off { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip frag-off != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip ttl 0 drop
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -322,26 +262,6 @@ inet test-inet input
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip ttl { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 1b @ network header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip ttl != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 1b @ network header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip protocol tcp
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -442,26 +362,6 @@ inet test-inet input
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip checksum { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ network header + 10 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip checksum != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 2b @ network header + 10 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip saddr 192.168.2.0/24
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -538,26 +438,6 @@ inet test-inet input
[ payload load 4b @ network header + 16 => reg 1 ]
[ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
-# ip daddr { 192.168.0.1-192.168.0.250}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 4b @ network header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip daddr != { 192.168.0.1-192.168.0.250}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 4b @ network header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
__set%d test-inet 3
__set%d test-inet 0
@@ -782,3 +662,25 @@ inet test-inet input
[ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ]
[ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ]
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+__set%d test-inet 87 size 1
+__set%d test-inet 0
+ element 010200c0 0100000a - 010200c0 0200000a : 0 [end]
+inet
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+__map%d test-inet 8f size 1
+__map%d test-inet 0
+ element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end]
+inet
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev
index f75f789f..65f8c96a 100644
--- a/tests/py/ip/ip.t.payload.netdev
+++ b/tests/py/ip/ip.t.payload.netdev
@@ -47,26 +47,6 @@ netdev test-netdev ingress
[ payload load 2b @ network header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip length { 333-535}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip length != { 333-535}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00004d01 : 0 [end] element 00001802 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip id 22
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
@@ -116,26 +96,6 @@ netdev test-netdev ingress
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip id { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip id != { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip frag-off 222 accept
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
@@ -186,26 +146,6 @@ netdev test-netdev ingress
[ payload load 2b @ network header + 6 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip frag-off { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip frag-off != { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip ttl 0 drop
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
@@ -249,26 +189,6 @@ netdev test-netdev ingress
[ payload load 1b @ network header + 8 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip ttl { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 1b @ network header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip ttl != { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 1b @ network header + 8 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept
__set%d test-netdev 3
__set%d test-netdev 0
@@ -355,26 +275,6 @@ netdev test-netdev ingress
[ payload load 2b @ network header + 10 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip checksum { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 10 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip checksum != { 33-55}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 2b @ network header + 10 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip saddr 192.168.2.0/24
netdev test-netdev ingress
[ meta load protocol => reg 1 ]
@@ -444,26 +344,6 @@ netdev test-netdev ingress
[ payload load 4b @ network header + 16 => reg 1 ]
[ range neq reg 1 0x0100a8c0 0xfa00a8c0 ]
-# ip daddr { 192.168.0.1-192.168.0.250}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 4b @ network header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip daddr != { 192.168.0.1-192.168.0.250}
-__set%d test-netdev 7
-__set%d test-netdev 0
- element 00000000 : 1 [end] element 0100a8c0 : 0 [end] element fb00a8c0 : 1 [end]
-netdev test-netdev ingress
- [ meta load protocol => reg 1 ]
- [ cmp eq reg 1 0x00000008 ]
- [ payload load 4b @ network header + 16 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept
__set%d test-netdev 3
__set%d test-netdev 0
@@ -782,3 +662,25 @@ netdev test-netdev ingress
[ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ]
[ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ]
+# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }
+__set%d test-netdev 87 size 1
+__set%d test-netdev 0
+ element 010200c0 0100000a - 010200c0 0200000a : 0 [end]
+netdev
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+
+# ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }
+__map%d test-netdev 8f size 1
+__map%d test-netdev 0
+ element 0105a8c0 0106a8c0 - 8005a8c0 8006a8c0 : accept 0 [end]
+netdev
+ [ meta load protocol => reg 1 ]
+ [ cmp eq reg 1 0x00000008 ]
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ payload load 4b @ network header + 16 => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 0 ]
+
diff --git a/tests/py/ip/reject.t b/tests/py/ip/reject.t
index cc5561a0..ad009944 100644
--- a/tests/py/ip/reject.t
+++ b/tests/py/ip/reject.t
@@ -3,14 +3,15 @@
*ip;test-ip4;output
reject;ok
-reject with icmp type host-unreachable;ok
-reject with icmp type net-unreachable;ok
-reject with icmp type prot-unreachable;ok
-reject with icmp type port-unreachable;ok;reject
-reject with icmp type net-prohibited;ok
-reject with icmp type host-prohibited;ok
-reject with icmp type admin-prohibited;ok
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok;reject
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+reject with icmp 3;ok;reject
mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset
-reject with icmp type no-route;fail
-reject with icmpv6 type no-route;fail
+reject with icmp no-route;fail
+reject with icmpv6 no-route;fail
diff --git a/tests/py/ip/reject.t.json b/tests/py/ip/reject.t.json
index d120b9f1..3e1d28de 100644
--- a/tests/py/ip/reject.t.json
+++ b/tests/py/ip/reject.t.json
@@ -5,7 +5,7 @@
}
]
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
[
{
"reject": {
@@ -15,7 +15,7 @@
}
]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
[
{
"reject": {
@@ -25,7 +25,7 @@
}
]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
[
{
"reject": {
@@ -35,7 +35,7 @@
}
]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
[
{
"reject": {
@@ -45,7 +45,7 @@
}
]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
[
{
"reject": {
@@ -55,7 +55,7 @@
}
]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
[
{
"reject": {
@@ -65,7 +65,7 @@
}
]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
[
{
"reject": {
@@ -75,6 +75,16 @@
}
]
+# reject with icmp 3
+[
+ {
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmp"
+ }
+ }
+]
+
# mark 0x80000000 reject with tcp reset
[
{
diff --git a/tests/py/ip/reject.t.payload b/tests/py/ip/reject.t.payload
index 07e4cc8d..5829065a 100644
--- a/tests/py/ip/reject.t.payload
+++ b/tests/py/ip/reject.t.payload
@@ -2,34 +2,38 @@
ip test-ip4 output
[ reject type 0 code 3 ]
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
ip test-ip4 output
[ reject type 0 code 1 ]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
ip test-ip4 output
[ reject type 0 code 0 ]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
ip test-ip4 output
[ reject type 0 code 2 ]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
ip test-ip4 output
[ reject type 0 code 3 ]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
ip test-ip4 output
[ reject type 0 code 9 ]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
ip test-ip4 output
[ reject type 0 code 10 ]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
ip test-ip4 output
[ reject type 0 code 13 ]
+# reject with icmp 3
+ip test-ip4 output
+ [ reject type 0 code 3 ]
+
# mark 0x80000000 reject with tcp reset
ip test-ip4 output
[ meta load l4proto => reg 1 ]
diff --git a/tests/py/ip/sets.t.json b/tests/py/ip/sets.t.json
index 65d2df87..d24b3918 100644
--- a/tests/py/ip/sets.t.json
+++ b/tests/py/ip/sets.t.json
@@ -188,3 +188,87 @@
}
]
+# ip saddr @set6 drop
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "@set6"
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# ip saddr vmap { 1.1.1.1 : drop, * : accept }
+[
+ {
+ "vmap": {
+ "data": {
+ "set": [
+ [
+ "1.1.1.1",
+ {
+ "drop": null
+ }
+ ],
+ [
+ "*",
+ {
+ "accept": null
+ }
+ ]
+ ]
+ },
+ "key": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ }
+ }
+ }
+]
+
+# meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "map": {
+ "data": {
+ "set": [
+ [
+ "1.1.1.1",
+ 1
+ ],
+ [
+ "*",
+ 2
+ ]
+ ]
+ },
+ "key": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ }
+ }
+ }
+ }
+ }
+]
+
diff --git a/tests/py/ip/snat.t b/tests/py/ip/snat.t
index c6e8a8e6..38acf52f 100644
--- a/tests/py/ip/snat.t
+++ b/tests/py/ip/snat.t
@@ -9,6 +9,7 @@ iifname "eth0" tcp dport != {80, 90, 23} snat to 192.168.3.2;ok
iifname "eth0" tcp dport != 23-34 snat to 192.168.3.2;ok
-snat ip addr . port to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };ok
-snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 };ok
+snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 };ok
+snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 };ok
+snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 };ok
snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 };ok
diff --git a/tests/py/ip/snat.t.json b/tests/py/ip/snat.t.json
index 62c6e61b..0e1485fa 100644
--- a/tests/py/ip/snat.t.json
+++ b/tests/py/ip/snat.t.json
@@ -166,7 +166,7 @@
}
]
-# snat ip addr . port to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
+# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
[
{
"snat": {
diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload
index ef4c1ce9..58b1c1a4 100644
--- a/tests/py/ip/snat.t.payload
+++ b/tests/py/ip/snat.t.payload
@@ -60,7 +60,7 @@ ip test-ip4 postrouting
[ immediate reg 1 0x0203a8c0 ]
[ nat snat ip addr_min reg 1 ]
-# snat ip addr . port to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
+# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.3 . 80 }
__map%d test-ip4 b size 1
__map%d test-ip4 0
element 040b8d0a : 0302a8c0 00005000 0 [end]
@@ -69,7 +69,7 @@ ip
[ lookup reg 1 set __map%d dreg 1 ]
[ nat snat ip addr_min reg 1 proto_min reg 9 ]
-# snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
+# snat ip to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
__map%d test-ip4 b size 1
__map%d test-ip4 0
element 040b8d0a : 0202a8c0 0402a8c0 0 [end]
@@ -87,3 +87,11 @@ ip
[ lookup reg 1 set __map%d dreg 1 ]
[ nat snat ip addr_min reg 1 addr_max reg 9 flags 0x40 ]
+# snat ip to ip saddr map { 10.141.12.14 : 192.168.2.0/24 }
+__map%d test-ip4 b size 1
+__map%d test-ip4 0
+ element 0e0c8d0a : 0002a8c0 ff02a8c0 0 [end]
+ip
+ [ payload load 4b @ network header + 12 => reg 1 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ nat snat ip addr_min reg 1 addr_max reg 9 ]
diff --git a/tests/py/ip6/dst.t b/tests/py/ip6/dst.t
index 9e7c554f..cd1fd3b2 100644
--- a/tests/py/ip6/dst.t
+++ b/tests/py/ip6/dst.t
@@ -9,8 +9,6 @@ dst nexthdr 33-45;ok
dst nexthdr != 33-45;ok
dst nexthdr { 33, 55, 67, 88};ok
dst nexthdr != { 33, 55, 67, 88};ok
-dst nexthdr { 33-55};ok
-dst nexthdr != { 33-55};ok
dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr { 51, 50, 17, 136, 58, 6, 33, 132, 108}
dst nexthdr != { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp};ok;dst nexthdr != { 51, 50, 17, 136, 58, 6, 33, 132, 108}
dst nexthdr icmp;ok;dst nexthdr 1
@@ -21,6 +19,3 @@ dst hdrlength != 233;ok
dst hdrlength 33-45;ok
dst hdrlength != 33-45;ok
dst hdrlength { 33, 55, 67, 88};ok
-dst hdrlength != { 33, 55, 67, 88};ok
-dst hdrlength { 33-55};ok
-dst hdrlength != { 33-55};ok
diff --git a/tests/py/ip6/dst.t.json b/tests/py/ip6/dst.t.json
index 1373e177..e947a76f 100644
--- a/tests/py/ip6/dst.t.json
+++ b/tests/py/ip6/dst.t.json
@@ -112,46 +112,6 @@
}
]
-# dst nexthdr { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "nexthdr",
- "name": "dst"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# dst nexthdr != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "nexthdr",
- "name": "dst"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
[
{
@@ -353,44 +313,3 @@
}
}
]
-
-# dst hdrlength { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "hdrlength",
- "name": "dst"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# dst hdrlength != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "hdrlength",
- "name": "dst"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
diff --git a/tests/py/ip6/dst.t.payload.inet b/tests/py/ip6/dst.t.payload.inet
index ff22237e..90d6bda1 100644
--- a/tests/py/ip6/dst.t.payload.inet
+++ b/tests/py/ip6/dst.t.payload.inet
@@ -47,26 +47,6 @@ inet test-inet input
[ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# dst nexthdr { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# dst nexthdr != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
__set%d test-inet 3
__set%d test-inet 0
@@ -149,24 +129,3 @@ ip6 test-ip6 input
[ cmp eq reg 1 0x0000000a ]
[ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-
-# dst hdrlength { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# dst hdrlength != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
diff --git a/tests/py/ip6/dst.t.payload.ip6 b/tests/py/ip6/dst.t.payload.ip6
index 9bf564cb..941140d0 100644
--- a/tests/py/ip6/dst.t.payload.ip6
+++ b/tests/py/ip6/dst.t.payload.ip6
@@ -35,22 +35,6 @@ ip6 test-ip6 input
[ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# dst nexthdr { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# dst nexthdr != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 60 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# dst nexthdr { udplite, ipcomp, udp, ah, sctp, esp, dccp, tcp, ipv6-icmp}
__set%d test-ip6 3
__set%d test-ip6 0
@@ -113,21 +97,3 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-
-# dst hdrlength { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# dst hdrlength != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 60 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
-
diff --git a/tests/py/ip6/frag.t b/tests/py/ip6/frag.t
index e16529ad..945398db 100644
--- a/tests/py/ip6/frag.t
+++ b/tests/py/ip6/frag.t
@@ -17,8 +17,6 @@ frag reserved 33-45;ok
frag reserved != 33-45;ok
frag reserved { 33, 55, 67, 88};ok
frag reserved != { 33, 55, 67, 88};ok
-frag reserved { 33-55};ok
-frag reserved != { 33-55};ok
frag frag-off 22;ok
frag frag-off != 233;ok
@@ -26,8 +24,6 @@ frag frag-off 33-45;ok
frag frag-off != 33-45;ok
frag frag-off { 33, 55, 67, 88};ok
frag frag-off != { 33, 55, 67, 88};ok
-frag frag-off { 33-55};ok
-frag frag-off != { 33-55};ok
frag reserved2 1;ok
frag more-fragments 0;ok
@@ -40,5 +36,3 @@ frag id 33-45;ok
frag id != 33-45;ok
frag id { 33, 55, 67, 88};ok
frag id != { 33, 55, 67, 88};ok
-frag id { 33-55};ok
-frag id != { 33-55};ok
diff --git a/tests/py/ip6/frag.t.payload.inet b/tests/py/ip6/frag.t.payload.inet
index ff1458d2..20334f44 100644
--- a/tests/py/ip6/frag.t.payload.inet
+++ b/tests/py/ip6/frag.t.payload.inet
@@ -95,26 +95,6 @@ inet test-inet output
[ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# frag reserved { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet output
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# frag reserved != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet output
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# frag frag-off 22
inet test-inet output
[ meta load nfproto => reg 1 ]
@@ -170,28 +150,6 @@ inet test-inet output
[ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
[ lookup reg 1 set __set%d 0x1 ]
-# frag frag-off { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end]
-inet test-inet output
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
- [ lookup reg 1 set __set%d ]
-
-# frag frag-off != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end]
-inet test-inet output
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# frag id 1
inet test-inet output
[ meta load nfproto => reg 1 ]
@@ -248,26 +206,6 @@ inet test-inet output
[ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# frag id { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-inet test-inet output
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# frag id != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-inet test-inet output
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# frag reserved2 1
inet test-inet output
[ meta load nfproto => reg 1 ]
diff --git a/tests/py/ip6/frag.t.payload.ip6 b/tests/py/ip6/frag.t.payload.ip6
index dc4103fd..7c3e7a4e 100644
--- a/tests/py/ip6/frag.t.payload.ip6
+++ b/tests/py/ip6/frag.t.payload.ip6
@@ -71,22 +71,6 @@ ip6 test-ip6 output
[ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# frag reserved { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 output
- [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# frag reserved != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 output
- [ exthdr load ipv6 1b @ 44 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# frag frag-off 22
ip6 test-ip6 output
[ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
@@ -130,24 +114,6 @@ ip6 test-ip6 output
[ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
[ lookup reg 1 set __set%d 0x1 ]
-# frag frag-off { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end]
-ip6 test-ip6 output
- [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
- [ lookup reg 1 set __set%d ]
-
-# frag frag-off != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000801 : 0 [end] element 0000b901 : 1 [end]
-ip6 test-ip6 output
- [ exthdr load ipv6 2b @ 44 + 2 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x0000f8ff ) ^ 0x00000000 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# frag id 1
ip6 test-ip6 output
[ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
@@ -190,22 +156,6 @@ ip6 test-ip6 output
[ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# frag id { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-ip6 test-ip6 output
- [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# frag id != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-ip6 test-ip6 output
- [ exthdr load ipv6 4b @ 44 + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# frag reserved2 1
ip6 test-ip6 output
[ exthdr load ipv6 1b @ 44 + 3 => reg 1 ]
diff --git a/tests/py/ip6/hbh.t b/tests/py/ip6/hbh.t
index f367a384..fce5feae 100644
--- a/tests/py/ip6/hbh.t
+++ b/tests/py/ip6/hbh.t
@@ -9,8 +9,6 @@ hbh hdrlength 33-45;ok
hbh hdrlength != 33-45;ok
hbh hdrlength {33, 55, 67, 88};ok
hbh hdrlength != {33, 55, 67, 88};ok
-hbh hdrlength { 33-55};ok
-hbh hdrlength != { 33-55};ok
hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr { 58, 136, 51, 50, 6, 17, 132, 33, 108}
hbh nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;hbh nexthdr != { 58, 136, 51, 50, 6, 17, 132, 33, 108}
@@ -20,7 +18,5 @@ hbh nexthdr 33-45;ok
hbh nexthdr != 33-45;ok
hbh nexthdr {33, 55, 67, 88};ok
hbh nexthdr != {33, 55, 67, 88};ok
-hbh nexthdr { 33-55};ok
-hbh nexthdr != { 33-55};ok
hbh nexthdr ip;ok;hbh nexthdr 0
hbh nexthdr != ip;ok;hbh nexthdr != 0
diff --git a/tests/py/ip6/hbh.t.json b/tests/py/ip6/hbh.t.json
index 441d3bfe..68670a3b 100644
--- a/tests/py/ip6/hbh.t.json
+++ b/tests/py/ip6/hbh.t.json
@@ -112,46 +112,6 @@
}
]
-# hbh hdrlength { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "hdrlength",
- "name": "hbh"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# hbh hdrlength != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "hdrlength",
- "name": "hbh"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
[
{
@@ -322,46 +282,6 @@
}
]
-# hbh nexthdr { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "nexthdr",
- "name": "hbh"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# hbh nexthdr != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "nexthdr",
- "name": "hbh"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# hbh nexthdr ip
[
{
diff --git a/tests/py/ip6/hbh.t.payload.inet b/tests/py/ip6/hbh.t.payload.inet
index e358351d..63afd832 100644
--- a/tests/py/ip6/hbh.t.payload.inet
+++ b/tests/py/ip6/hbh.t.payload.inet
@@ -47,26 +47,6 @@ inet test-inet filter-input
[ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# hbh hdrlength { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet filter-input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# hbh hdrlength != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet filter-input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
__set%d test-inet 3
__set%d test-inet 0
@@ -136,26 +116,6 @@ inet test-inet filter-input
[ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# hbh nexthdr { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet filter-input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# hbh nexthdr != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet filter-input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# hbh nexthdr ip
inet test-inet filter-input
[ meta load nfproto => reg 1 ]
diff --git a/tests/py/ip6/hbh.t.payload.ip6 b/tests/py/ip6/hbh.t.payload.ip6
index a4b131a5..913505a5 100644
--- a/tests/py/ip6/hbh.t.payload.ip6
+++ b/tests/py/ip6/hbh.t.payload.ip6
@@ -35,22 +35,6 @@ ip6 test-ip6 filter-input
[ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# hbh hdrlength { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 filter-input
- [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# hbh hdrlength != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 filter-input
- [ exthdr load ipv6 1b @ 0 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# hbh nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6}
__set%d test-ip6 3
__set%d test-ip6 0
@@ -104,22 +88,6 @@ ip6 test-ip6 filter-input
[ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# hbh nexthdr { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 filter-input
- [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# hbh nexthdr != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 filter-input
- [ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# hbh nexthdr ip
ip6 test-ip6 filter-input
[ exthdr load ipv6 1b @ 0 + 0 => reg 1 ]
diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t
index a45efed6..4de6ee23 100644
--- a/tests/py/ip6/icmpv6.t
+++ b/tests/py/ip6/icmpv6.t
@@ -32,8 +32,6 @@ icmpv6 code 4;ok;icmpv6 code port-unreachable
icmpv6 code 3-66;ok
icmpv6 code {5, 6, 7} accept;ok;icmpv6 code {policy-fail, reject-route, 7} accept
icmpv6 code != {policy-fail, reject-route, 7} accept;ok
-icmpv6 code { 3-66};ok
-icmpv6 code != { 3-66};ok
icmpv6 checksum 2222 log;ok
icmpv6 checksum != 2222 log;ok
@@ -41,8 +39,6 @@ icmpv6 checksum 222-226;ok
icmpv6 checksum != 222-226;ok
icmpv6 checksum { 222, 226};ok
icmpv6 checksum != { 222, 226};ok
-icmpv6 checksum { 222-226};ok
-icmpv6 checksum != { 222-226};ok
# BUG: icmpv6 parameter-problem, pptr
# [ICMP6HDR_PPTR] = ICMP6HDR_FIELD("parameter-problem", icmp6_pptr),
@@ -64,16 +60,15 @@ icmpv6 mtu 33-45;ok
icmpv6 mtu != 33-45;ok
icmpv6 mtu {33, 55, 67, 88};ok
icmpv6 mtu != {33, 55, 67, 88};ok
-icmpv6 mtu {33-55};ok
-icmpv6 mtu != {33-55};ok
icmpv6 type packet-too-big icmpv6 mtu 1280;ok;icmpv6 mtu 1280
icmpv6 id 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 33-45
icmpv6 id != 33-45;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != 33-45
icmpv6 id {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id { 33, 55, 67, 88}
icmpv6 id != {33, 55, 67, 88};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != { 33, 55, 67, 88}
-icmpv6 id {33-55};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id { 33-55}
-icmpv6 id != {33-55};ok;icmpv6 type { echo-request, echo-reply} icmpv6 id != { 33-55}
+
+icmpv6 id 1;ok;icmpv6 type { echo-request, echo-reply} icmpv6 id 1
+icmpv6 type echo-reply icmpv6 id 65534;ok
icmpv6 sequence 2;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2
icmpv6 sequence {3, 4, 5, 6, 7} accept;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 3, 4, 5, 6, 7} accept
@@ -83,14 +78,10 @@ icmpv6 sequence {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequenc
icmpv6 sequence != {2, 4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != { 2, 4}
icmpv6 sequence 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence 2-4
icmpv6 sequence != 2-4;ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != 2-4
-icmpv6 sequence { 2-4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence { 2-4}
-icmpv6 sequence != { 2-4};ok;icmpv6 type { echo-request, echo-reply} icmpv6 sequence != { 2-4}
icmpv6 max-delay 33-45;ok
icmpv6 max-delay != 33-45;ok
icmpv6 max-delay {33, 55, 67, 88};ok
icmpv6 max-delay != {33, 55, 67, 88};ok
-icmpv6 max-delay {33-55};ok
-icmpv6 max-delay != {33-55};ok
icmpv6 type parameter-problem icmpv6 code no-route;ok
diff --git a/tests/py/ip6/icmpv6.t.json b/tests/py/ip6/icmpv6.t.json
index 96079042..2251be82 100644
--- a/tests/py/ip6/icmpv6.t.json
+++ b/tests/py/ip6/icmpv6.t.json
@@ -544,46 +544,6 @@
}
]
-# icmpv6 code { 3-66}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "code",
- "protocol": "icmpv6"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 3, 66 ] }
- ]
- }
- }
- }
-]
-
-# icmpv6 code != { 3-66}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "code",
- "protocol": "icmpv6"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 3, 66 ] }
- ]
- }
- }
- }
-]
-
# icmpv6 checksum 2222 log
[
{
@@ -700,46 +660,6 @@
}
]
-# icmpv6 checksum { 222-226}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "icmpv6"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 222, 226 ] }
- ]
- }
- }
- }
-]
-
-# icmpv6 checksum != { 222-226}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "checksum",
- "protocol": "icmpv6"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 222, 226 ] }
- ]
- }
- }
- }
-]
-
# icmpv6 mtu 22
[
{
@@ -854,46 +774,6 @@
}
]
-# icmpv6 mtu {33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "mtu",
- "protocol": "icmpv6"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# icmpv6 mtu != {33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "mtu",
- "protocol": "icmpv6"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# icmpv6 id 33-45
[
{
@@ -976,42 +856,63 @@
}
]
-# icmpv6 id {33-55}
+# icmpv6 id 1
[
{
"match": {
"left": {
"payload": {
- "field": "id",
+ "field": "type",
"protocol": "icmpv6"
}
},
- "op": "==",
+ "op": "==",
"right": {
"set": [
- { "range": [ 33, 55 ] }
+ "echo-request",
+ "echo-reply"
]
}
}
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "id",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": 1
+ }
}
]
-# icmpv6 id != {33-55}
+# icmpv6 type echo-reply icmpv6 id 65534
[
{
"match": {
"left": {
"payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "echo-reply"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
"field": "id",
"protocol": "icmpv6"
}
},
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
+ "op": "==",
+ "right": 65534
}
}
]
@@ -1137,46 +1038,6 @@
}
]
-# icmpv6 sequence { 2-4}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "icmpv6"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 2, 4 ] }
- ]
- }
- }
- }
-]
-
-# icmpv6 sequence != { 2-4}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "sequence",
- "protocol": "icmpv6"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 2, 4 ] }
- ]
- }
- }
- }
-]
-
# icmpv6 max-delay 33-45
[
{
@@ -1259,46 +1120,6 @@
}
]
-# icmpv6 max-delay {33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "max-delay",
- "protocol": "icmpv6"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# icmpv6 max-delay != {33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "max-delay",
- "protocol": "icmpv6"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# icmpv6 type packet-too-big icmpv6 mtu 1280
[
{
diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6
index c98a2548..0e96be2d 100644
--- a/tests/py/ip6/icmpv6.t.payload.ip6
+++ b/tests/py/ip6/icmpv6.t.payload.ip6
@@ -231,26 +231,6 @@ ip6 test-ip6 input
[ lookup reg 1 set __set%d 0x1 ]
[ immediate reg 0 accept ]
-# icmpv6 code { 3-66}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000003 : 0 [end] element 00000043 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 1b @ transport header + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmpv6 code != { 3-66}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000003 : 0 [end] element 00000043 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 1b @ transport header + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmpv6 checksum 2222 log
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
@@ -302,26 +282,6 @@ ip6 test-ip6 input
[ payload load 2b @ transport header + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# icmpv6 checksum { 222-226}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 0000de00 : 0 [end] element 0000e300 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmpv6 checksum != { 222-226}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 0000de00 : 0 [end] element 0000e300 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 2b @ transport header + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmpv6 mtu 22
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
@@ -383,30 +343,6 @@ ip6 test-ip6 input
[ payload load 4b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# icmpv6 mtu {33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmpv6 mtu != {33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 21000000 : 0 [end] element 38000000 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000002 ]
- [ payload load 4b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmpv6 type packet-too-big icmpv6 mtu 1280
ip6
[ meta load l4proto => reg 1 ]
@@ -471,35 +407,26 @@ ip6 test-ip6 input
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# icmpv6 id {33-55}
-__set%d test-ip6 3
+# icmpv6 id 1
+__set%d test-ip6 3 size 2
__set%d test-ip6 0
element 00000080 : 0 [end] element 00000081 : 0 [end]
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip6 test-ip6 input
+ip6
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
[ payload load 1b @ transport header + 0 => reg 1 ]
[ lookup reg 1 set __set%d ]
[ payload load 2b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
+ [ cmp eq reg 1 0x00000100 ]
-# icmpv6 id != {33-55}
-__set%d test-ip6 3
-__set%d test-ip6 0
- element 00000080 : 0 [end] element 00000081 : 0 [end]
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip6 test-ip6 input
+# icmpv6 type echo-reply icmpv6 id 65534
+ip6
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x0000003a ]
[ payload load 1b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
+ [ cmp eq reg 1 0x00000081 ]
[ payload load 2b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
+ [ cmp eq reg 1 0x0000feff ]
# icmpv6 sequence 2
__set%d test-ip6 3
@@ -584,36 +511,6 @@ ip6 test-ip6 input
[ payload load 2b @ transport header + 6 => reg 1 ]
[ range neq reg 1 0x00000200 0x00000400 ]
-# icmpv6 sequence { 2-4}
-__set%d test-ip6 3
-__set%d test-ip6 0
- element 00000080 : 0 [end] element 00000081 : 0 [end]
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmpv6 sequence != { 2-4}
-__set%d test-ip6 3
-__set%d test-ip6 0
- element 00000080 : 0 [end] element 00000081 : 0 [end]
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000200 : 0 [end] element 00000500 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
- [ payload load 2b @ transport header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmpv6 max-delay 33-45
ip6 test-ip6 input
[ meta load l4proto => reg 1 ]
@@ -657,30 +554,6 @@ ip6 test-ip6 input
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# icmpv6 max-delay {33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000082 ]
- [ payload load 2b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# icmpv6 max-delay != {33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip6 test-ip6 input
- [ meta load l4proto => reg 1 ]
- [ cmp eq reg 1 0x0000003a ]
- [ payload load 1b @ transport header + 0 => reg 1 ]
- [ cmp eq reg 1 0x00000082 ]
- [ payload load 2b @ transport header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# icmpv6 type parameter-problem icmpv6 code no-route
ip6
[ meta load l4proto => reg 1 ]
diff --git a/tests/py/ip6/ip6.t b/tests/py/ip6/ip6.t
index dbb56fa3..2ffe318e 100644
--- a/tests/py/ip6/ip6.t
+++ b/tests/py/ip6/ip6.t
@@ -24,8 +24,6 @@ ip6 flowlabel != 233;ok
ip6 flowlabel { 33, 55, 67, 88};ok
# BUG ip6 flowlabel { 5046528, 2883584, 13522432 }
ip6 flowlabel != { 33, 55, 67, 88};ok
-ip6 flowlabel { 33-55};ok
-ip6 flowlabel != { 33-55};ok
ip6 flowlabel vmap { 0 : accept, 2 : continue };ok
ip6 length 22;ok
@@ -34,16 +32,12 @@ ip6 length 33-45;ok
ip6 length != 33-45;ok
ip6 length { 33, 55, 67, 88};ok
ip6 length != {33, 55, 67, 88};ok
-ip6 length { 33-55};ok
-ip6 length != { 33-55};ok
ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp};ok;ip6 nexthdr { 132, 51, 108, 136, 17, 33, 6}
ip6 nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr { 6, 136, 108, 33, 50, 17, 132, 58, 51}
ip6 nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp, icmpv6};ok;ip6 nexthdr != { 6, 136, 108, 33, 50, 17, 132, 58, 51}
ip6 nexthdr esp;ok;ip6 nexthdr 50
ip6 nexthdr != esp;ok;ip6 nexthdr != 50
-ip6 nexthdr { 33-44};ok
-ip6 nexthdr != { 33-44};ok
ip6 nexthdr 33-44;ok
ip6 nexthdr != 33-44;ok
@@ -53,8 +47,6 @@ ip6 hoplimit 33-45;ok
ip6 hoplimit != 33-45;ok
ip6 hoplimit {33, 55, 67, 88};ok
ip6 hoplimit != {33, 55, 67, 88};ok
-ip6 hoplimit {33-55};ok
-ip6 hoplimit != {33-55};ok
# from src/scanner.l
# v680 (({hex4}:){7}{hex4})
diff --git a/tests/py/ip6/ip6.t.json b/tests/py/ip6/ip6.t.json
index f898240f..cf802175 100644
--- a/tests/py/ip6/ip6.t.json
+++ b/tests/py/ip6/ip6.t.json
@@ -213,46 +213,6 @@
}
]
-# ip6 flowlabel { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "flowlabel",
- "protocol": "ip6"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# ip6 flowlabel != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "flowlabel",
- "protocol": "ip6"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# ip6 flowlabel vmap { 0 : accept, 2 : continue }
[
{
@@ -397,48 +357,6 @@
}
]
-# ip6 length { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "length",
- "protocol": "ip6"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [ 33, 55 ]
- }
- ]
- }
- }
- }
-]
-
-# ip6 length != { 33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "length",
- "protocol": "ip6"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
[
{
@@ -743,46 +661,6 @@
}
]
-# ip6 hoplimit {33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "hoplimit",
- "protocol": "ip6"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# ip6 hoplimit != {33-55}
-[
- {
- "match": {
- "left": {
- "payload": {
- "field": "hoplimit",
- "protocol": "ip6"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
[
{
diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet
index a107abd7..20dfe549 100644
--- a/tests/py/ip6/ip6.t.payload.inet
+++ b/tests/py/ip6/ip6.t.payload.inet
@@ -91,28 +91,6 @@ inet test-inet input
[ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip6 flowlabel { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 3b @ network header + 1 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
- [ lookup reg 1 set __set%d ]
-
-# ip6 flowlabel != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 3b @ network header + 1 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip6 flowlabel vmap { 0 : accept, 2 : continue }
__map%d test-inet b size 2
__map%d test-inet 0
@@ -173,26 +151,6 @@ inet test-inet input
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip6 length { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip6 length != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
__set%d test-inet 3
__set%d test-inet 0
@@ -237,26 +195,6 @@ inet test-inet input
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp neq reg 1 0x00000032 ]
-# ip6 nexthdr { 33-44}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 1b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip6 nexthdr != { 33-44}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 1b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip6 nexthdr 33-44
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -321,26 +259,6 @@ inet test-inet input
[ payload load 1b @ network header + 7 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip6 hoplimit {33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 1b @ network header + 7 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip6 hoplimit != {33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ payload load 1b @ network header + 7 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
inet test-inet input
[ meta load nfproto => reg 1 ]
diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6
index 67666220..f8e3ca3c 100644
--- a/tests/py/ip6/ip6.t.payload.ip6
+++ b/tests/py/ip6/ip6.t.payload.ip6
@@ -71,24 +71,6 @@ ip6 test-ip6 input
[ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip6 flowlabel { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end]
-ip6 test-ip6 input
- [ payload load 3b @ network header + 1 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
- [ lookup reg 1 set __set%d ]
-
-# ip6 flowlabel != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00210000 : 0 [end] element 00380000 : 1 [end]
-ip6 test-ip6 input
- [ payload load 3b @ network header + 1 => reg 1 ]
- [ bitwise reg 1 = ( reg 1 & 0x00ffff0f ) ^ 0x00000000 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip6 flowlabel vmap { 0 : accept, 2 : continue }
__map%d test-ip6 b size 2
__map%d test-ip6 0
@@ -135,22 +117,6 @@ ip6 test-ip6 input
[ payload load 2b @ network header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip6 length { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip6 test-ip6 input
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip6 length != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip6 test-ip6 input
- [ payload load 2b @ network header + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip6 nexthdr {udp, ah, comp, udplite, tcp, dccp, sctp}
__set%d test-ip6 3
__set%d test-ip6 0
@@ -185,22 +151,6 @@ ip6 test-ip6 input
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp neq reg 1 0x00000032 ]
-# ip6 nexthdr { 33-44}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end]
-ip6 test-ip6 input
- [ payload load 1b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip6 nexthdr != { 33-44}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 0000002d : 1 [end]
-ip6 test-ip6 input
- [ payload load 1b @ network header + 6 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip6 nexthdr 33-44
ip6 test-ip6 input
[ payload load 1b @ network header + 6 => reg 1 ]
@@ -249,22 +199,6 @@ ip6 test-ip6 input
[ payload load 1b @ network header + 7 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# ip6 hoplimit {33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ payload load 1b @ network header + 7 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# ip6 hoplimit != {33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ payload load 1b @ network header + 7 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234
ip6 test-ip6 input
[ payload load 16b @ network header + 8 => reg 1 ]
diff --git a/tests/py/ip6/mh.t b/tests/py/ip6/mh.t
index 2f90372e..46f4ba05 100644
--- a/tests/py/ip6/mh.t
+++ b/tests/py/ip6/mh.t
@@ -15,8 +15,6 @@ mh nexthdr 33-45;ok
mh nexthdr != 33-45;ok
mh nexthdr { 33, 55, 67, 88 };ok
mh nexthdr != { 33, 55, 67, 88 };ok
-mh nexthdr { 33-55 };ok
-mh nexthdr != { 33-55 };ok
mh hdrlength 22;ok
mh hdrlength != 233;ok
@@ -24,8 +22,6 @@ mh hdrlength 33-45;ok
mh hdrlength != 33-45;ok
mh hdrlength { 33, 55, 67, 88 };ok
mh hdrlength != { 33, 55, 67, 88 };ok
-mh hdrlength { 33-55 };ok
-mh hdrlength != { 33-55 };ok
mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message};ok
mh type home-agent-switch-message;ok
@@ -37,8 +33,6 @@ mh reserved 33-45;ok
mh reserved != 33-45;ok
mh reserved { 33, 55, 67, 88};ok
mh reserved != { 33, 55, 67, 88};ok
-mh reserved { 33-55};ok
-mh reserved != { 33-55};ok
mh checksum 22;ok
mh checksum != 233;ok
@@ -46,5 +40,3 @@ mh checksum 33-45;ok
mh checksum != 33-45;ok
mh checksum { 33, 55, 67, 88};ok
mh checksum != { 33, 55, 67, 88};ok
-mh checksum { 33-55};ok
-mh checksum != { 33-55};ok
diff --git a/tests/py/ip6/mh.t.json b/tests/py/ip6/mh.t.json
index 211477d3..3159b14b 100644
--- a/tests/py/ip6/mh.t.json
+++ b/tests/py/ip6/mh.t.json
@@ -232,48 +232,6 @@
}
]
-# mh nexthdr { 33-55 }
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "nexthdr",
- "name": "mh"
- }
- },
- "op": "==",
- "right": {
- "set": [
- {
- "range": [ 33, 55 ]
- }
- ]
- }
- }
- }
-]
-
-# mh nexthdr != { 33-55 }
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "nexthdr",
- "name": "mh"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# mh hdrlength 22
[
{
@@ -388,46 +346,6 @@
}
]
-# mh hdrlength { 33-55 }
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "hdrlength",
- "name": "mh"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# mh hdrlength != { 33-55 }
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "hdrlength",
- "name": "mh"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
[
{
@@ -606,46 +524,6 @@
}
]
-# mh reserved { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "reserved",
- "name": "mh"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# mh reserved != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "reserved",
- "name": "mh"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# mh checksum 22
[
{
@@ -760,43 +638,3 @@
}
]
-# mh checksum { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "checksum",
- "name": "mh"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# mh checksum != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "checksum",
- "name": "mh"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
diff --git a/tests/py/ip6/mh.t.payload.inet b/tests/py/ip6/mh.t.payload.inet
index 2c473fbd..54eaa70e 100644
--- a/tests/py/ip6/mh.t.payload.inet
+++ b/tests/py/ip6/mh.t.payload.inet
@@ -95,26 +95,6 @@ inet test-inet input
[ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# mh nexthdr { 33-55 }
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# mh nexthdr != { 33-55 }
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# mh hdrlength 22
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -164,26 +144,6 @@ inet test-inet input
[ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# mh hdrlength { 33-55 }
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# mh hdrlength != { 33-55 }
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
__set%d test-inet 3
__set%d test-inet 0
@@ -257,26 +217,6 @@ inet test-inet input
[ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# mh reserved { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# mh reserved != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# mh checksum 22
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -325,24 +265,3 @@ inet test-inet input
[ cmp eq reg 1 0x0000000a ]
[ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-
-# mh checksum { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# mh checksum != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
diff --git a/tests/py/ip6/mh.t.payload.ip6 b/tests/py/ip6/mh.t.payload.ip6
index 93744dac..73bd4226 100644
--- a/tests/py/ip6/mh.t.payload.ip6
+++ b/tests/py/ip6/mh.t.payload.ip6
@@ -71,22 +71,6 @@ ip6 test-ip6 input
[ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# mh nexthdr { 33-55 }
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# mh nexthdr != { 33-55 }
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 135 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# mh hdrlength 22
ip6 test-ip6 input
[ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
@@ -124,22 +108,6 @@ ip6 test-ip6 input
[ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# mh hdrlength { 33-55 }
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# mh hdrlength != { 33-55 }
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 135 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# mh type {binding-refresh-request, home-test-init, careof-test-init, home-test, careof-test, binding-update, binding-acknowledgement, binding-error, fast-binding-update, fast-binding-acknowledgement, fast-binding-advertisement, experimental-mobility-header, home-agent-switch-message}
__set%d test-ip6 3
__set%d test-ip6 0
@@ -195,22 +163,6 @@ ip6 test-ip6 input
[ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# mh reserved { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# mh reserved != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 135 + 3 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# mh checksum 22
ip6 test-ip6 input
[ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
@@ -247,20 +199,3 @@ __set%d test-ip6 0
ip6 test-ip6 input
[ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-
-# mh checksum { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# mh checksum != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00002100 : 0 [end] element 00003800 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 2b @ 135 + 4 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
diff --git a/tests/py/ip6/reject.t b/tests/py/ip6/reject.t
index 7fa04eec..bfdd094e 100644
--- a/tests/py/ip6/reject.t
+++ b/tests/py/ip6/reject.t
@@ -3,13 +3,14 @@
*ip6;test-ip6;output
reject;ok
-reject with icmpv6 type no-route;ok
-reject with icmpv6 type admin-prohibited;ok
-reject with icmpv6 type addr-unreachable;ok
-reject with icmpv6 type port-unreachable;ok;reject
-reject with icmpv6 type policy-fail;ok
-reject with icmpv6 type reject-route;ok
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok;reject
+reject with icmpv6 policy-fail;ok
+reject with icmpv6 reject-route;ok
+reject with icmpv6 3;ok;reject with icmpv6 addr-unreachable
mark 0x80000000 reject with tcp reset;ok;meta mark 0x80000000 reject with tcp reset
-reject with icmpv6 type host-unreachable;fail
-reject with icmp type host-unreachable;fail
+reject with icmpv6 host-unreachable;fail
+reject with icmp host-unreachable;fail
diff --git a/tests/py/ip6/reject.t.json b/tests/py/ip6/reject.t.json
index ae57c333..312a7dab 100644
--- a/tests/py/ip6/reject.t.json
+++ b/tests/py/ip6/reject.t.json
@@ -5,7 +5,7 @@
}
]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
[
{
"reject": {
@@ -15,7 +15,7 @@
}
]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
[
{
"reject": {
@@ -25,7 +25,7 @@
}
]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
[
{
"reject": {
@@ -35,7 +35,7 @@
}
]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
[
{
"reject": {
@@ -45,7 +45,7 @@
}
]
-# reject with icmpv6 type policy-fail
+# reject with icmpv6 policy-fail
[
{
"reject": {
@@ -55,7 +55,7 @@
}
]
-# reject with icmpv6 type reject-route
+# reject with icmpv6 reject-route
[
{
"reject": {
@@ -65,6 +65,16 @@
}
]
+# reject with icmpv6 3
+[
+ {
+ "reject": {
+ "expr": "addr-unreachable",
+ "type": "icmpv6"
+ }
+ }
+]
+
# mark 0x80000000 reject with tcp reset
[
{
diff --git a/tests/py/ip6/reject.t.payload.ip6 b/tests/py/ip6/reject.t.payload.ip6
index dd4491ae..3d4321b0 100644
--- a/tests/py/ip6/reject.t.payload.ip6
+++ b/tests/py/ip6/reject.t.payload.ip6
@@ -2,30 +2,34 @@
ip6 test-ip6 output
[ reject type 0 code 4 ]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
ip6 test-ip6 output
[ reject type 0 code 0 ]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
ip6 test-ip6 output
[ reject type 0 code 1 ]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
ip6 test-ip6 output
[ reject type 0 code 3 ]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
ip6 test-ip6 output
[ reject type 0 code 4 ]
-# reject with icmpv6 type policy-fail
+# reject with icmpv6 policy-fail
ip6 test-ip6 output
[ reject type 0 code 5 ]
-# reject with icmpv6 type reject-route
+# reject with icmpv6 reject-route
ip6 test-ip6 output
[ reject type 0 code 6 ]
+# reject with icmpv6 3
+ip6 test-ip6 output
+ [ reject type 0 code 3 ]
+
# mark 0x80000000 reject with tcp reset
ip6 test-ip6 output
[ meta load l4proto => reg 1 ]
diff --git a/tests/py/ip6/rt.t b/tests/py/ip6/rt.t
index c3feaabe..c33d38a5 100644
--- a/tests/py/ip6/rt.t
+++ b/tests/py/ip6/rt.t
@@ -15,8 +15,6 @@ rt nexthdr 33-45;ok
rt nexthdr != 33-45;ok
rt nexthdr { 33, 55, 67, 88};ok
rt nexthdr != { 33, 55, 67, 88};ok
-rt nexthdr { 33-55};ok
-rt nexthdr != { 33-55};ok
rt hdrlength 22;ok
rt hdrlength != 233;ok
@@ -24,8 +22,6 @@ rt hdrlength 33-45;ok
rt hdrlength != 33-45;ok
rt hdrlength { 33, 55, 67, 88};ok
rt hdrlength != { 33, 55, 67, 88};ok
-rt hdrlength { 33-55};ok
-rt hdrlength != { 33-55};ok
rt type 22;ok
rt type != 233;ok
@@ -33,8 +29,6 @@ rt type 33-45;ok
rt type != 33-45;ok
rt type { 33, 55, 67, 88};ok
rt type != { 33, 55, 67, 88};ok
-rt type { 33-55};ok
-rt type != { 33-55};ok
rt seg-left 22;ok
rt seg-left != 233;ok
@@ -42,5 +36,3 @@ rt seg-left 33-45;ok
rt seg-left != 33-45;ok
rt seg-left { 33, 55, 67, 88};ok
rt seg-left != { 33, 55, 67, 88};ok
-rt seg-left { 33-55};ok
-rt seg-left != { 33-55};ok
diff --git a/tests/py/ip6/rt.t.json b/tests/py/ip6/rt.t.json
index 86a46402..b12873d6 100644
--- a/tests/py/ip6/rt.t.json
+++ b/tests/py/ip6/rt.t.json
@@ -232,46 +232,6 @@
}
]
-# rt nexthdr { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "nexthdr",
- "name": "rt"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# rt nexthdr != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "nexthdr",
- "name": "rt"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# rt hdrlength 22
[
{
@@ -386,46 +346,6 @@
}
]
-# rt hdrlength { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "hdrlength",
- "name": "rt"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# rt hdrlength != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "hdrlength",
- "name": "rt"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# rt type 22
[
{
@@ -540,46 +460,6 @@
}
]
-# rt type { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "type",
- "name": "rt"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# rt type != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "type",
- "name": "rt"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
# rt seg-left 22
[
{
@@ -694,43 +574,3 @@
}
]
-# rt seg-left { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "seg-left",
- "name": "rt"
- }
- },
- "op": "==",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
-# rt seg-left != { 33-55}
-[
- {
- "match": {
- "left": {
- "exthdr": {
- "field": "seg-left",
- "name": "rt"
- }
- },
- "op": "!=",
- "right": {
- "set": [
- { "range": [ 33, 55 ] }
- ]
- }
- }
- }
-]
-
diff --git a/tests/py/ip6/rt.t.payload.inet b/tests/py/ip6/rt.t.payload.inet
index eafb4a00..864d3114 100644
--- a/tests/py/ip6/rt.t.payload.inet
+++ b/tests/py/ip6/rt.t.payload.inet
@@ -95,26 +95,6 @@ inet test-inet input
[ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# rt nexthdr { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# rt nexthdr != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# rt hdrlength 22
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -164,26 +144,6 @@ inet test-inet input
[ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# rt hdrlength { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# rt hdrlength != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# rt type 22
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -233,26 +193,6 @@ inet test-inet input
[ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# rt type { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# rt type != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# rt seg-left 22
inet test-inet input
[ meta load nfproto => reg 1 ]
@@ -302,23 +242,3 @@ inet test-inet input
[ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# rt seg-left { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# rt seg-left != { 33-55}
-__set%d test-inet 7
-__set%d test-inet 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-inet test-inet input
- [ meta load nfproto => reg 1 ]
- [ cmp eq reg 1 0x0000000a ]
- [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
diff --git a/tests/py/ip6/rt.t.payload.ip6 b/tests/py/ip6/rt.t.payload.ip6
index 929cf9e1..c7b52f82 100644
--- a/tests/py/ip6/rt.t.payload.ip6
+++ b/tests/py/ip6/rt.t.payload.ip6
@@ -71,22 +71,6 @@ ip6 test-ip6 input
[ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# rt nexthdr { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# rt nexthdr != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 43 + 0 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# rt hdrlength 22
ip6 test-ip6 input
[ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
@@ -124,22 +108,6 @@ ip6 test-ip6 input
[ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# rt hdrlength { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# rt hdrlength != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 43 + 1 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# rt type 22
ip6 test-ip6 input
[ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
@@ -177,22 +145,6 @@ ip6 test-ip6 input
[ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# rt type { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# rt type != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 43 + 2 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
# rt seg-left 22
ip6 test-ip6 input
[ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
@@ -230,19 +182,3 @@ ip6 test-ip6 input
[ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
-# rt seg-left { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
- [ lookup reg 1 set __set%d ]
-
-# rt seg-left != { 33-55}
-__set%d test-ip6 7
-__set%d test-ip6 0
- element 00000000 : 1 [end] element 00000021 : 0 [end] element 00000038 : 1 [end]
-ip6 test-ip6 input
- [ exthdr load ipv6 1b @ 43 + 3 => reg 1 ]
- [ lookup reg 1 set __set%d 0x1 ]
-
diff --git a/tests/py/netdev/reject.t b/tests/py/netdev/reject.t
index af109086..c66e649c 100644
--- a/tests/py/netdev/reject.t
+++ b/tests/py/netdev/reject.t
@@ -2,39 +2,39 @@
*netdev;test-netdev;ingress
-reject with icmp type host-unreachable;ok
-reject with icmp type net-unreachable;ok
-reject with icmp type prot-unreachable;ok
-reject with icmp type port-unreachable;ok
-reject with icmp type net-prohibited;ok
-reject with icmp type host-prohibited;ok
-reject with icmp type admin-prohibited;ok
-
-reject with icmpv6 type no-route;ok
-reject with icmpv6 type admin-prohibited;ok
-reject with icmpv6 type addr-unreachable;ok
-reject with icmpv6 type port-unreachable;ok
-reject with icmpv6 type policy-fail;ok
-reject with icmpv6 type reject-route;ok
+reject with icmp host-unreachable;ok
+reject with icmp net-unreachable;ok
+reject with icmp prot-unreachable;ok
+reject with icmp port-unreachable;ok
+reject with icmp net-prohibited;ok
+reject with icmp host-prohibited;ok
+reject with icmp admin-prohibited;ok
+
+reject with icmpv6 no-route;ok
+reject with icmpv6 admin-prohibited;ok
+reject with icmpv6 addr-unreachable;ok
+reject with icmpv6 port-unreachable;ok
+reject with icmpv6 policy-fail;ok
+reject with icmpv6 reject-route;ok
mark 12345 reject with tcp reset;ok;meta l4proto 6 meta mark 0x00003039 reject with tcp reset
reject;ok
-meta protocol ip reject;ok;reject with icmp type port-unreachable
-meta protocol ip6 reject;ok;reject with icmpv6 type port-unreachable
+meta protocol ip reject;ok;reject with icmp port-unreachable
+meta protocol ip6 reject;ok;reject with icmpv6 port-unreachable
-reject with icmpx type host-unreachable;ok
-reject with icmpx type no-route;ok
-reject with icmpx type admin-prohibited;ok
-reject with icmpx type port-unreachable;ok;reject
+reject with icmpx host-unreachable;ok
+reject with icmpx no-route;ok
+reject with icmpx admin-prohibited;ok
+reject with icmpx port-unreachable;ok;reject
-meta protocol ip reject with icmp type host-unreachable;ok;reject with icmp type host-unreachable
-meta protocol ip6 reject with icmpv6 type no-route;ok;reject with icmpv6 type no-route
+meta protocol ip reject with icmp host-unreachable;ok;reject with icmp host-unreachable
+meta protocol ip6 reject with icmpv6 no-route;ok;reject with icmpv6 no-route
-meta protocol ip6 reject with icmp type host-unreachable;fail
-meta protocol ip ip protocol icmp reject with icmpv6 type no-route;fail
-meta protocol ip6 ip protocol icmp reject with icmp type host-unreachable;fail
+meta protocol ip6 reject with icmp host-unreachable;fail
+meta protocol ip ip protocol icmp reject with icmpv6 no-route;fail
+meta protocol ip6 ip protocol icmp reject with icmp host-unreachable;fail
meta l4proto udp reject with tcp reset;fail
-meta protocol ip reject with icmpx type admin-prohibited;ok
-meta protocol ip6 reject with icmpx type admin-prohibited;ok
+meta protocol ip reject with icmpx admin-prohibited;ok
+meta protocol ip6 reject with icmpx admin-prohibited;ok
diff --git a/tests/py/netdev/reject.t.json b/tests/py/netdev/reject.t.json
index 21e6ebb5..9968aaf8 100644
--- a/tests/py/netdev/reject.t.json
+++ b/tests/py/netdev/reject.t.json
@@ -1,4 +1,4 @@
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
[
{
"reject": {
@@ -8,7 +8,7 @@
}
]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
[
{
"reject": {
@@ -18,7 +18,7 @@
}
]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
[
{
"reject": {
@@ -28,7 +28,7 @@
}
]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
[
{
"reject": {
@@ -38,7 +38,7 @@
}
]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
[
{
"reject": {
@@ -48,7 +48,7 @@
}
]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
[
{
"reject": {
@@ -58,7 +58,7 @@
}
]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
[
{
"reject": {
@@ -68,7 +68,7 @@
}
]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
[
{
"reject": {
@@ -78,7 +78,7 @@
}
]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
[
{
"reject": {
@@ -88,7 +88,7 @@
}
]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
[
{
"reject": {
@@ -98,7 +98,7 @@
}
]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
[
{
"reject": {
@@ -108,7 +108,7 @@
}
]
-# reject with icmpv6 type policy-fail
+# reject with icmpv6 policy-fail
[
{
"reject": {
@@ -118,7 +118,7 @@
}
]
-# reject with icmpv6 type reject-route
+# reject with icmpv6 reject-route
[
{
"reject": {
@@ -134,6 +134,17 @@
"match": {
"left": {
"meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "meta": {
"key": "mark"
}
},
@@ -151,47 +162,34 @@
# reject
[
{
- "reject": null
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpx"
+ }
}
]
# meta protocol ip reject
[
{
- "match": {
- "left": {
- "meta": {
- "key": "protocol"
- }
- },
- "op": "==",
- "right": "ip"
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmp"
}
- },
- {
- "reject": null
}
]
# meta protocol ip6 reject
[
{
- "match": {
- "left": {
- "meta": {
- "key": "protocol"
- }
- },
- "op": "==",
- "right": "ip6"
+ "reject": {
+ "expr": "port-unreachable",
+ "type": "icmpv6"
}
- },
- {
- "reject": null
}
]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
[
{
"reject": {
@@ -201,7 +199,7 @@
}
]
-# reject with icmpx type no-route
+# reject with icmpx no-route
[
{
"reject": {
@@ -211,7 +209,7 @@
}
]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
[
{
"reject": {
@@ -221,7 +219,7 @@
}
]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
[
{
"reject": {
@@ -231,20 +229,9 @@
}
]
-# meta protocol ip reject with icmp type host-unreachable
+# meta protocol ip reject with icmp host-unreachable
[
{
- "match": {
- "left": {
- "meta": {
- "key": "protocol"
- }
- },
- "op": "==",
- "right": "ip"
- }
- },
- {
"reject": {
"expr": "host-unreachable",
"type": "icmp"
@@ -252,20 +239,9 @@
}
]
-# meta protocol ip6 reject with icmpv6 type no-route
+# meta protocol ip6 reject with icmpv6 no-route
[
{
- "match": {
- "left": {
- "meta": {
- "key": "protocol"
- }
- },
- "op": "==",
- "right": "ip6"
- }
- },
- {
"reject": {
"expr": "no-route",
"type": "icmpv6"
@@ -273,7 +249,7 @@
}
]
-# meta protocol ip reject with icmpx type admin-prohibited
+# meta protocol ip reject with icmpx admin-prohibited
[
{
"match": {
@@ -294,7 +270,7 @@
}
]
-# meta protocol ip6 reject with icmpx type admin-prohibited
+# meta protocol ip6 reject with icmpx admin-prohibited
[
{
"match": {
diff --git a/tests/py/netdev/reject.t.payload b/tests/py/netdev/reject.t.payload
index 5f76b091..d014adab 100644
--- a/tests/py/netdev/reject.t.payload
+++ b/tests/py/netdev/reject.t.payload
@@ -1,76 +1,76 @@
-# reject with icmp type host-unreachable
+# reject with icmp host-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 1 ]
-# reject with icmp type net-unreachable
+# reject with icmp net-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 0 ]
-# reject with icmp type prot-unreachable
+# reject with icmp prot-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 2 ]
-# reject with icmp type port-unreachable
+# reject with icmp port-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 3 ]
-# reject with icmp type net-prohibited
+# reject with icmp net-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 9 ]
-# reject with icmp type host-prohibited
+# reject with icmp host-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 10 ]
-# reject with icmp type admin-prohibited
+# reject with icmp admin-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 13 ]
-# reject with icmpv6 type no-route
+# reject with icmpv6 no-route
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 0 ]
-# reject with icmpv6 type admin-prohibited
+# reject with icmpv6 admin-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 1 ]
-# reject with icmpv6 type addr-unreachable
+# reject with icmpv6 addr-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 3 ]
-# reject with icmpv6 type port-unreachable
+# reject with icmpv6 port-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 4 ]
-# reject with icmpv6 type policy-fail
+# reject with icmpv6 policy-fail
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 5 ]
-# reject with icmpv6 type reject-route
+# reject with icmpv6 reject-route
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
@@ -100,41 +100,41 @@ netdev
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 4 ]
-# reject with icmpx type host-unreachable
+# reject with icmpx host-unreachable
netdev
[ reject type 2 code 2 ]
-# reject with icmpx type no-route
+# reject with icmpx no-route
netdev
[ reject type 2 code 0 ]
-# reject with icmpx type admin-prohibited
+# reject with icmpx admin-prohibited
netdev
[ reject type 2 code 3 ]
-# reject with icmpx type port-unreachable
+# reject with icmpx port-unreachable
netdev
[ reject type 2 code 1 ]
-# meta protocol ip reject with icmp type host-unreachable
+# meta protocol ip reject with icmp host-unreachable
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 0 code 1 ]
-# meta protocol ip6 reject with icmpv6 type no-route
+# meta protocol ip6 reject with icmpv6 no-route
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 0 code 0 ]
-# meta protocol ip reject with icmpx type admin-prohibited
+# meta protocol ip reject with icmpx admin-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x00000008 ]
[ reject type 2 code 3 ]
-# meta protocol ip6 reject with icmpx type admin-prohibited
+# meta protocol ip6 reject with icmpx admin-prohibited
netdev
[ meta load protocol => reg 1 ]
[ cmp eq reg 1 0x0000dd86 ]
diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 18e9c67f..15e74d8b 100755
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -407,7 +407,11 @@ def set_add_elements(set_element, set_name, state, filename, lineno):
ret = execute_cmd(cmd, filename, lineno)
if (state == "fail" and ret == 0) or (state == "ok" and ret != 0):
- test_state = "This rule should have failed."
+ if state == "fail":
+ test_state = "This rule should have failed."
+ else:
+ test_state = "This rule should not have failed."
+
reason = cmd + ": " + test_state
print_error(reason, filename, lineno)
return -1
diff --git a/tests/shell/testcases/maps/0010concat_map_0 b/tests/shell/testcases/maps/0010concat_map_0
new file mode 100755
index 00000000..4848d972
--- /dev/null
+++ b/tests/shell/testcases/maps/0010concat_map_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table inet x {
+ map z {
+ type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
+ elements = {
+ 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30
+ }
+ }
+
+ chain y {
+ type nat hook prerouting priority dstnat;
+ dnat ip addr . port to ip saddr . ip protocol . tcp dport map @z
+ }
+}"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/maps/0011vmap_0 b/tests/shell/testcases/maps/0011vmap_0
new file mode 100755
index 00000000..83704d48
--- /dev/null
+++ b/tests/shell/testcases/maps/0011vmap_0
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table inet filter {
+ map portmap {
+ type inet_service : verdict
+ counter
+ }
+
+ chain ssh_input {
+ }
+
+ chain wan_input {
+ tcp dport vmap @portmap
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority -300; policy accept;
+ iif vmap { "lo" : jump wan_input }
+ }
+}"
+
+$NFT -f - <<< "$EXPECTED"
+$NFT 'add element inet filter portmap { 22 : jump ssh_input, * : drop }'
diff --git a/tests/shell/testcases/maps/dumps/0010concat_map_0.nft b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft
new file mode 100644
index 00000000..b6bc338c
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0010concat_map_0.nft
@@ -0,0 +1,11 @@
+table inet x {
+ map z {
+ type ipv4_addr . inet_proto . inet_service : ipv4_addr . inet_service
+ elements = { 1.1.1.1 . tcp . 20 : 2.2.2.2 . 30 }
+ }
+
+ chain y {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta nfproto ipv4 dnat ip to ip saddr . ip protocol . tcp dport map @z
+ }
+}
diff --git a/tests/shell/testcases/maps/dumps/0011vmap_0.nft b/tests/shell/testcases/maps/dumps/0011vmap_0.nft
new file mode 100644
index 00000000..4a72b5e7
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0011vmap_0.nft
@@ -0,0 +1,19 @@
+table inet filter {
+ map portmap {
+ type inet_service : verdict
+ counter
+ elements = { 22 counter packets 0 bytes 0 : jump ssh_input, * counter packets 0 bytes 0 : drop }
+ }
+
+ chain ssh_input {
+ }
+
+ chain wan_input {
+ tcp dport vmap @portmap
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority raw; policy accept;
+ iif vmap { "lo" : jump wan_input }
+ }
+}
diff --git a/tests/shell/testcases/maps/dumps/nat_addr_port.nft b/tests/shell/testcases/maps/dumps/nat_addr_port.nft
index 89c3bd14..cf6b957f 100644
--- a/tests/shell/testcases/maps/dumps/nat_addr_port.nft
+++ b/tests/shell/testcases/maps/dumps/nat_addr_port.nft
@@ -27,10 +27,10 @@ table ip ipfoo {
dnat to ip daddr map @x
ip saddr 10.1.1.1 dnat to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat to 10.2.3.4:4242
- meta l4proto tcp dnat ip addr . port to ip saddr map @y
- dnat ip addr . port to ip saddr . tcp dport map @z
+ meta l4proto tcp dnat ip to ip saddr map @y
+ dnat ip to ip saddr . tcp dport map @z
dnat to numgen inc mod 2 map @t1
- meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2
+ meta l4proto tcp dnat ip to numgen inc mod 2 map @t2
}
}
table ip6 ip6foo {
@@ -60,10 +60,10 @@ table ip6 ip6foo {
dnat to ip6 daddr map @x
ip6 saddr dead::1 dnat to feed::1
ip6 saddr dead::2 tcp dport 42 dnat to [c0::1a]:4242
- meta l4proto tcp dnat ip6 addr . port to ip6 saddr map @y
- dnat ip6 addr . port to ip6 saddr . tcp dport map @z
+ meta l4proto tcp dnat ip6 to ip6 saddr map @y
+ dnat ip6 to ip6 saddr . tcp dport map @z
dnat to numgen inc mod 2 map @t1
- meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2
+ meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2
}
}
table inet inetfoo {
@@ -114,16 +114,16 @@ table inet inetfoo {
dnat ip to ip daddr map @x4
ip saddr 10.1.1.1 dnat ip to 10.2.3.4
ip saddr 10.1.1.2 tcp dport 42 dnat ip to 10.2.3.4:4242
- meta l4proto tcp meta nfproto ipv4 dnat ip addr . port to ip saddr map @y4
- meta nfproto ipv4 dnat ip addr . port to ip saddr . tcp dport map @z4
+ meta l4proto tcp meta nfproto ipv4 dnat ip to ip saddr map @y4
+ meta nfproto ipv4 dnat ip to ip saddr . tcp dport map @z4
dnat ip to numgen inc mod 2 map @t1v4
- meta l4proto tcp dnat ip addr . port to numgen inc mod 2 map @t2v4
+ meta l4proto tcp dnat ip to numgen inc mod 2 map @t2v4
dnat ip6 to ip6 daddr map @x6
ip6 saddr dead::1 dnat ip6 to feed::1
ip6 saddr dead::2 tcp dport 42 dnat ip6 to [c0::1a]:4242
- meta l4proto tcp meta nfproto ipv6 dnat ip6 addr . port to ip6 saddr map @y6
- meta nfproto ipv6 dnat ip6 addr . port to ip6 saddr . tcp dport map @z6
+ meta l4proto tcp meta nfproto ipv6 dnat ip6 to ip6 saddr map @y6
+ meta nfproto ipv6 dnat ip6 to ip6 saddr . tcp dport map @z6
dnat ip6 to numgen inc mod 2 map @t1v6
- meta l4proto tcp dnat ip6 addr . port to numgen inc mod 2 map @t2v6
+ meta l4proto tcp dnat ip6 to numgen inc mod 2 map @t2v6
}
}
diff --git a/tests/shell/testcases/nft-f/0026listing_0 b/tests/shell/testcases/nft-f/0026listing_0
new file mode 100755
index 00000000..0f2f27c6
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0026listing_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# This is like "flush ruleset" except only flushes THIS ruleset, not ALL rulesets.
+# In particular, it leaves the dynamic sshguard/fail2ban deny lists untouched.
+RULESET="add table A
+delete table A
+table A {
+ chain B {
+ tcp dport {1,2} accept
+ }
+}
+list ruleset"
+
+exec $NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/0027split_chains_0 b/tests/shell/testcases/nft-f/0027split_chains_0
new file mode 100755
index 00000000..de1e5a00
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0027split_chains_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table inet filter {
+ chain x {
+ }
+}
+table inet filter {
+ chain input {
+ type filter hook input priority filter; policy accept;
+ jump x
+ }
+}"
+
+$NFT -f - <<< "$RULESET" && exit 0
+exit 1
diff --git a/tests/shell/testcases/nft-f/0028variable_cmdline_0 b/tests/shell/testcases/nft-f/0028variable_cmdline_0
new file mode 100755
index 00000000..a2bbd5da
--- /dev/null
+++ b/tests/shell/testcases/nft-f/0028variable_cmdline_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+
+RULESET="table inet filter {
+ set whitelist_v4 { type ipv4_addr; }
+}
+add element inet filter whitelist_v4 \$whitelist_v4
+"
+
+# this is intentional: exercise error path
+$NFT --define whitelist_v4="{ wrong }" -f - <<< "$RULESET"
+$NFT --define whitelist_v4="{ 1.1.1.1, \$wrong }" -f - <<< "$RULESET"
+
+set -e
+
+$NFT --define whitelist_v4="{ 1.1.1.1, 2.2.2.2 }" -f - <<< "$RULESET"
+$NFT --define x={5.5.5.5} --define whitelist_v4="{ 3.3.3.3, 4.4.4.4, \$x }" -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft
new file mode 100644
index 00000000..39198be1
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft
@@ -0,0 +1,9 @@
+table inet filter {
+ chain x {
+ }
+
+ chain input {
+ type filter hook input priority filter; policy accept;
+ jump x
+ }
+}
diff --git a/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft
new file mode 100644
index 00000000..aa081122
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft
@@ -0,0 +1,8 @@
+table inet filter {
+ set whitelist_v4 {
+ type ipv4_addr
+ elements = { 1.1.1.1, 2.2.2.2,
+ 3.3.3.3, 4.4.4.4,
+ 5.5.5.5 }
+ }
+}
diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft
new file mode 100644
index 00000000..35e3f36e
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft
@@ -0,0 +1,15 @@
+table ip test {
+ chain test {
+ ip saddr 127.0.0.1 accept
+ iif "lo" accept
+ tcp dport != 22 drop
+ ip saddr 127.0.0.0/8 accept
+ ip saddr 127.0.0.1-192.168.7.3 accept
+ tcp sport 1-1023 drop
+ ip daddr { 192.168.7.1, 192.168.7.5 } accept
+ tcp dport { 80, 443 } accept
+ ip daddr . tcp dport { 192.168.0.1 . 22 } accept
+ meta mark set ip daddr map { 192.168.0.1 : 0x00000001 }
+ ct state { established, related } accept
+ }
+}
diff --git a/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
new file mode 100644
index 00000000..35b93832
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/single_anon_set.nft.input
@@ -0,0 +1,35 @@
+table ip test {
+ chain test {
+ # Test cases where anon set can be removed:
+ ip saddr { 127.0.0.1 } accept
+ iif { "lo" } accept
+
+ # negation, can change to != 22.
+ tcp dport != { 22 } drop
+
+ # single prefix, can remove anon set.
+ ip saddr { 127.0.0.0/8 } accept
+
+ # range, can remove anon set.
+ ip saddr { 127.0.0.1-192.168.7.3 } accept
+ tcp sport { 1-1023 } drop
+
+ # Test cases where anon set must be kept.
+
+ # 2 elements, cannot remove the anon set.
+ ip daddr { 192.168.7.1, 192.168.7.5 } accept
+ tcp dport { 80, 443 } accept
+
+ # single element, but concatenation which is not
+ # supported outside of set/map context at this time.
+ ip daddr . tcp dport { 192.168.0.1 . 22 } accept
+
+ # single element, but a map.
+ meta mark set ip daddr map { 192.168.0.1 : 1 }
+
+ # 2 elements. This could be converted because
+ # ct state cannot be both established and related
+ # at the same time, but this needs extra work.
+ ct state { established, related } accept
+ }
+}
diff --git a/tests/shell/testcases/optimizations/single_anon_set b/tests/shell/testcases/optimizations/single_anon_set
new file mode 100755
index 00000000..7275e360
--- /dev/null
+++ b/tests/shell/testcases/optimizations/single_anon_set
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+# Input file contains rules with anon sets that contain
+# one element, plus extra rule with two elements (that should be
+# left alone).
+
+# Dump file has the simplified rules where anon sets have been
+# replaced by equality tests where possible.
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile".input
diff --git a/tests/shell/testcases/sets/0031set_timeout_size_0 b/tests/shell/testcases/sets/0031set_timeout_size_0
index 9edd5f6f..796640d6 100755
--- a/tests/shell/testcases/sets/0031set_timeout_size_0
+++ b/tests/shell/testcases/sets/0031set_timeout_size_0
@@ -3,10 +3,10 @@
RULESET="add table x
add set x y { type ipv4_addr; size 128; timeout 30s; flags dynamic; }
add chain x test
-add rule x test set update ip saddr timeout 1d2h3m4s8ms @y
+add rule x test set update ip saddr timeout 1d2h3m4s10ms @y
add rule x test set update ip daddr timeout 100ms @y"
set -e
$NFT -f - <<< "$RULESET"
-$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s8ms }'
+$NFT list chain x test | grep -q 'update @y { ip saddr timeout 1d2h3m4s10ms }'
$NFT list chain x test | grep -q 'update @y { ip daddr timeout 100ms }'
diff --git a/tests/shell/testcases/sets/0047nat_0 b/tests/shell/testcases/sets/0047nat_0
index 746a6b6d..cb1d4d68 100755
--- a/tests/shell/testcases/sets/0047nat_0
+++ b/tests/shell/testcases/sets/0047nat_0
@@ -10,7 +10,7 @@ EXPECTED="table ip x {
chain y {
type nat hook postrouting priority srcnat; policy accept;
- snat ip interval to ip saddr map @y
+ snat to ip saddr map @y
}
}
"
diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0
index 4f95f383..48d589fe 100755
--- a/tests/shell/testcases/sets/0062set_connlimit_0
+++ b/tests/shell/testcases/sets/0062set_connlimit_0
@@ -12,3 +12,15 @@ RULESET="table ip x {
}"
$NFT -f - <<< $RULESET
+
+RULESET="table ip x {
+ set new-connlimit {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ ct count over 20
+ elements = { 84.245.120.167 }
+ }
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/0065_icmp_postprocessing b/tests/shell/testcases/sets/0065_icmp_postprocessing
new file mode 100755
index 00000000..f838c3ef
--- /dev/null
+++ b/tests/shell/testcases/sets/0065_icmp_postprocessing
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+ chain foo {
+ icmp id 42
+ }
+}"
+
+$NFT -f - <<< $RULESET
+
+$NFT insert rule ip x foo index 0 accept
diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0
new file mode 100755
index 00000000..3d1b62d6
--- /dev/null
+++ b/tests/shell/testcases/sets/0067nat_concat_interval_0
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="table ip nat {
+ map ipportmap {
+ type ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999 }
+ }
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ ip protocol tcp dnat ip to ip saddr map @ipportmap
+ }
+}"
+
+$NFT -f - <<< $EXPECTED
+$NFT add element ip nat ipportmap { 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
+
+EXPECTED="table ip nat {
+ map ipportmap2 {
+ type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.1/8 . 42 - 43 }
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2
+ }
+}"
+
+$NFT -f - <<< $EXPECTED
diff --git a/tests/shell/testcases/sets/dumps/0047nat_0.nft b/tests/shell/testcases/sets/dumps/0047nat_0.nft
index 70730ef3..e7968054 100644
--- a/tests/shell/testcases/sets/dumps/0047nat_0.nft
+++ b/tests/shell/testcases/sets/dumps/0047nat_0.nft
@@ -8,6 +8,6 @@ table ip x {
chain y {
type nat hook postrouting priority srcnat; policy accept;
- snat ip interval to ip saddr map @y
+ snat ip to ip saddr map @y
}
}
diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.nft b/tests/shell/testcases/sets/dumps/0053echo_0.nft
index 6a816636..bb7c5513 100644
--- a/tests/shell/testcases/sets/dumps/0053echo_0.nft
+++ b/tests/shell/testcases/sets/dumps/0053echo_0.nft
@@ -1,6 +1,6 @@
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
- iifname { "lo" } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter packets 0 bytes 0 accept
+ iifname "lo" ip saddr 10.0.0.0/8 ip daddr 192.168.100.62 tcp dport 2001 counter packets 0 bytes 0 accept
}
}
diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
new file mode 100644
index 00000000..c565d21f
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
@@ -0,0 +1,19 @@
+table ip nat {
+ map ipportmap {
+ type ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 : 10.141.10.1-10.141.10.3 . 8888-8999, 192.168.2.0/24 : 10.141.11.5-10.141.11.20 . 8888-8999 }
+ }
+
+ map ipportmap2 {
+ type ipv4_addr . ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.0/8 . 42-43 }
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ ip protocol tcp dnat ip to ip saddr map @ipportmap
+ ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2
+ }
+}